I’m using a suricata package that supports Lua but not Luajit. It’s version 4.1.8, Fedora packaged.
When should I use just Lua or Luajit?
What is the expected performance impact for either?
The - lua section on the YAML, needs to be configured just for rule detections? It seems to me it is only required to setup “outputs”, as I was able to load a rule without touching that section.
I don’t really use the Lua support myself, but will attempt to answer…
Luajit is considerable faster than Lua. I didn’t record any numbers, but I think a sha1 implementation I tested was about 10 times faster with Luajit… Thats a pure compute operation though, so different scripts may not be so much faster under Luajit.
One point is that Luajit is is Lua 5.1 compatible. While the rest of the Lua world has moved onto 5.3, and there are incompatibilities between 5.1 and 5.3. So if your scripts can firmly live within the 5.1 eco system, you are probably better off with Luajit. If you need the 5.3 ecosystem then Luajit is not really an option.
And for suricata.yaml, yes there is only a section for Lua outputs, as you have to specify what scripts to load. Lua when used by the rules is driven through the rule language.