Angel: LOL, I think I can see your problem...... 800Mb/s is going to drown anything that has to assess and act on the data. I don't think you have much of a choice but to use multiple Snort boxes appropriately located on the network with varying rulesets that are appropriate to both the subnet they monitor and the expected traffic there. Paring down the rulesets to match the threat at each segment will help throughput.

Re: Buffering... You are right...... Going back to Caswell's book Snort 2.0 Intrusion Detection my memory has played a trick on me.... The packets are placed into structures after they hit the detection engine and are flushed post detection to disk in logging mode.... Somehow the old brain had switched that to caching un-processed packets..... Don't ask....