If you expect the string data on a specific port, you can narrow down the number of packets searched. Basically, the best way to cut down CPU is the ability to tell what 'isn't' in the string. Eg: If your traffic is some unknown protocol, anything RELATED doesn't need to get string matched. If you're just doing firewall based content filtering (not ideal) then you'd just use the string match on inbound tcp spt 80 and block tcp spt 443. As for the size of the string, I highly doubt that having different string lengths would make much of a performance hit. The search still has to traverse the entire packet regardless of how long the string is. The developer may say differently, but I don't see an advantage of either way.
