I usually recommend to create a directory named '/snort' on my drive, and place everything in there. Snort, Oinkmaster, barnyard, etc..

Snort 2.6 does require alot more memory than it's predecessors (BTW), because of the prequalification search algorithim it uses (Aho-Corasick as opposed to Wu-Mamber -- as in previous releases) so if you have a problem with RAM usage here are some tips on how to limit the RAM usage:

""As noted in the RELEASE.NOTES, there was a change in the
default pattern matching engine from Wu-Manber to standard
Aho-Corasick which is faster but consumes more memory.

This effectively replaced an implicit config of

config detection: search-method mwm

with

config detection: search-method ac

The Aho-Corasick implementation in snort has a few different
memory models, standard, full, banded, sparse, and sparse
banded. The sparse and spare-banded ones consume much less
memory... To use them, add a snort.conf line, as desired,
for example. Wu-Manber is being deprecated in the next
release.

config detection: search-method ac-sparsebands

There is also the lowmem method, which is slow, but uses
very little memory."" -- Steve Sturgess, Snort Developer.

I suggest you use one of these examples if you have a RAM problem (95% utilitzation of processor..etc..) 2.6.0 needs a good couple of GIGS of ram for non-customized machines.

I also suggest you don't use Snort to log directly to DB. Having your IDS log directly to DB is begging for it to drop packets, instead log to 'unified', download, compile, and install 'barnyard', barnyard reads this unified file format and then inserts into the db. abstracting the db layer from the actual IDS method.