I ran the command suricata --build-info. It shows that my copy of Suricata support only Lua but not Luajit. I did a testing for the the two keywords - Lua and Luajit. First, I use the keyword Lua for a rule to reference a Lua script. It works. The rule triggers an alert. Then, I replace the keyword Lua with Luajit. I expect that it should not work, since my copy of Suricata does not support Luajit. However, it work; the rule trigger the same alert too. So, what is the difference between this two keywords Lua and Luajit? Also, is there a way to find out which one, Lua or Luajit, Suricata uses?
The keywords are the same. Originally we only supported luajit, so this was what the rule keyword was called. Later we also added regular lua support, so we renamed the keyword to just lua, with an alias to support old rules. But whether you use lua or luajit depends only on your compile time settings.
If this is the case, is there a way to find out which one, lua or luajit, Suricata use? Does Suricata write out this information some where or to a log file?
Hi Victor, you can run
ldd <your/suricata/binary>
and it will tell you which lua library your suricata is linked against. Mine, for instance, says liblua5.1.so.0 => /lib/x86_64-linux-gnu/liblua5.1.so.0
Hope that helps!
Hi Ju, It works. Thanks for the help
1 Like