A few things in your preprocessors that may need to be tuned:
You should reduce the http_inspect decompress_depth and compress_depth. I would recommend reducing this from 65535 to something like 20000:
decompress_depth 20000 compress_depth 20000
You should reduce the http_inspect_server: post_depth from 65495 to 4000 or so:
http_inspect_server: post_depth 4000
The normalize preprocessor is expensive. You probably don't need to normalize as much as you are (unless you are looking for specific exploits in these types). I would recommend removing the following:
preprocessor normalize_ip4 preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6
normalize_tcp is probably all that you need to normalize, but again this depends if you are looking for any specific exploits where this traffic would need to be normalized.
I wouldn't recommend using the sensitive data preprocessor unless you specifically need to look for data leaks, and if you are you should define specific hosts. This preprocessor is probably about a 20% performance hit, especially when no specific hosts are defined.
You can also enable and use the performance preprocessor. If you enable this with the right options, snort will print out statistics when it exits. This can have useful information such as which preprocessors/rules are most expensive.
See the documentation for this here I would use something like the following to enable 1 second performance monitoring and also enable rule and preprocessor profiling:
preprocessor perfmonitor: time 1 pktcnt 1000 config profile_rules: print all, sort total_ticks config profile_preprocs: print 100, sort total_ticks
It sounds like the preprocessors are likely causing performance problems. Enabling performance monitoring will tell you which preprocessors are most expensive and you can tune those until it works for your environment.