The content matching portion of the detection engine has recursion to handle a few evasion cases. Rules that are not properly written can cause Snort to waste time duplicating checks.
The way the recursion works now is if a pattern matches, and if any of the detection options after that pattern fail, then look for the pattern again after where it was found the previous time. Repeat until the pattern is not found again or the opt functions all succeed.
On first read, that may not sound like a smart idea, but it is needed. For example, take the following rule:
alert ip any any -> any any (content:"a"; content:"b"; within:1;)
This rule would look for ``a'', immediately followed by ``b''. Without recursion, the payload ``aab'' would fail, even though it is obvious that the payload ``aab'' has ``a'' immediately followed by ``b'', because the first "a" is not immediately followed by ``b''.
While recursion is important for detection, the recursion implementation is not very smart.
For example, the following rule options are not optimized:
content:"|13|"; dsize:1;
By looking at this rule snippit, it is obvious the rule looks for a packet with a single byte of 0x13. However, because of recursion, a packet with 1024 bytes of 0x13 could cause 1023 too many pattern match attempts and 1023 too many dsize checks. Why? The content 0x13 would be found in the first byte, then the dsize option would fail, and because of recursion, the content 0x13 would be found again starting after where the previous 0x13 was found, once it is found, then check the dsize again, repeating until 0x13 is not found in the payload again.
Reordering the rule options so that discrete checks (such as dsize) are moved to the beginning of the rule speed up Snort.
The optimized rule snipping would be:
dsize:1; content:"|13|";
A packet of 1024 bytes of 0x13 would fail immediately, as the dsize check is the first option checked and dsize is a discrete check without recursion.
The following rule options are discrete and should generally be placed at the beginning of any rule: