It isn't clear, from a posted reproduction, where the line endings are. I'm guessing that
#alert tcp !$ICCP_CLIENT any -> $ICCP_SERVER $ICCP_PORT (flow:from_client,established; content:"|03 00|"; depth:2; content:"|E0 00 00|"; distance:3; depth:3; msg:"ICCP - COTP Connection Request From Unauthorized Client"; reference:scada,1111401.htm; classtype:bad-unknown; sid:1111401; rev:1; priority:2
is all one line (terminated by newline, carriage return, or both), and that
alert tcp $ICCP_SERVER $ICCP_PORT -> !$ICCP_CLIENT any (flow:established; content:"|03 00|"; depth:2; content:"|D0|"; distance:3; depth:1; msg:"ICCP - Unauthorized COTP Connection Established"; reference:scada,1111402.htm; classtype:bad-unknown; sid:1111402; rev:1; priority:1
is also a single line. I base this on the presence of a single '#' in the first case. Commented content is probably defined as any line that begins with '#' (or has '#' as its first non-whitespace character).
Knowing that is key information.
Obviously, the first thing is to strip the data of all comments. That's a trivial thing to do.
It appears that items of interest are all delimited by labels. strtok works with a collection of delimiters, but the delimiters are not multiple-character entities, like the labels. Regex to pick up a label would be simple to write (begins with whitespace, ends with ':'). It wouldn't be too hard to achieve that without regex. You mention "performance reasons." One can't tell from the context how important that is or what is actually considered to separate poor performance from good performance.
Perhaps you could clarify some of that and I could give you some example code. Incidentally, you can prevent the smilies from appearing in atypical, cluttered text (or code) by using the advanced posting option and disabling smilies.
EDIT: You might take a cut of the file and attach it so that copy/paste wouldn't be involved, and garfle up the file with non-existent line endings, and such. That would provide some relevant information.