Snort sensors are constantly reviewing rule performance data. The first and perhaps most important common common error is a lack of a long, unique content match. Snort takes the first, longest content match in a rule, and places it in the appropriate fast-pattern matcher. The PCRE engine is very useful, but we dont want to pay the penalty of its use without ensuring we have a chance to detect. The rule detects a 2006 vulnerability in Microsofts Vector Graphics Rendering.”]
Source: https://blog.talosintelligence.com/2009/07/rule-performance-part-one-content.html