Suricata

Profiling enabled on my 2.0beta1-

2 rules -
alert tcp any any -> any any (content:"curl"; http_header; sid:1;)
alert tcp any any -> any any (content:"curl"; http_user_agent; sid:1;)

If I run the sigs independently, both of them seem to take almost equal no of ticks,
according to the profiling stats.

If I load both the rules at the same time, the first sig that is processed is
reported to take a lot of ticks(which is equal to the ticks it would take to run it
individually), but the second sig takes far less ticks than the first sig that is
processed.

These are the ticks obtained from a simple pcap that I have that accesses
a web page-

cat rules_file_hh.rules
alert tcp any any -> any any (content:"curl"; http_header; sid:1;) // 24k ticks

cat rules_file_ua.rules
alert tcp any any -> any any (content:"curl"; http_user_agent; sid:1;) // 24k ticks

cat rules_file_both_1.rules
alert tcp any any -> any any (content:"curl"; http_header; sid:1;) // 24k ticks
alert tcp any any -> any any (content:"curl"; http_user_agent; sid:2;) // 3k ticks

cat rules_file_both_2_reverse_order.rules
alert tcp any any -> any any (content:"curl"; http_user_agent; sid:1;) // 24k ticks
alert tcp any any -> any any (content:"curl"; http_header; sid:2;) // 3k ticks

What might be the reason for the faster perf of the 2nd sig, when we load both of
them simultaneously. Caching from the first sig processing speeding the processing
on the second sig, bug?