Snort groups rules by protocol (ip, tcp, udp, icmp), then by ports (ip and icmp use slightly differnet logic), then by those with content and those without. For rules with content, a multi-pattern matcher is used to select rules that have a chance at matching based on a single content. Selecting rules for evaluation via this "fast" pattern matcher was found to increase performance, especially when applied to large rule groups like HTTP. The longer and more unique a content is, the less likely that rule and all of it's rule options will be evaluated unnecessarily - it's safe to say there is generally more "good" traffic than "bad". Rules without content are always evaluated (relative to the protocol and port group in which they reside), potentially putting a drag on performance. While some detection options, such as pcre and byte_test, perform detection in the payload section of the packet, they are not used by the fast pattern matching engine. If at all possible, try and have at least one content (or uricontent) rule option in your rule.