The problem with Bro is how resource intensive it is to run. On a 1Gb/s stream, you wouldnt need “much” (this is highly relative…). On a 10Gb/s, you really need to identify what your actual throughput is like. For us, our 4.5Gb/s sustained traffic needs ~400gigs of ram and 40 cores. 
About 1/3rd of that goes into cache, but the rest is resident.