/libhtp::request_uri_not_seen in Suricata 6.0.2

Hi, I’m currently using Suricata 6.0.2 with libhtp 0.5.37, and when I run Suricata in a production environment, I get a lot of /libhtp::request_uri_not_seen message.
I read some similar topics related to this type of message and noticed that this error occured when the packets not being seen by suricata/libhtp (packets dropped). However, my Suricata didn’t have any dropped packets (drop rate = 0%) and I still got this message.

{"timestamp":"2022-10-18T14:49:31.948328+0700","flow_id":1729415172239252,"in_iface":"eno5","event_type":"http","vlan":[34],"src_ip":"154.222.7.200","src_port":13916,"dest_ip":"171.244.149.214","dest_port":80,"proto":"TCP","tx_id":38,"ether":{"src_mac":"78:ba:f9:27:4f:b2","dest_mac":"ec:9b:8b:65:fb:83"},"http":{"http_port":0,"url":"/libhtp::request_uri_not_seen","http_content_type":"text/html","status":200,"length":3077}}
{"timestamp":"2022-10-18T14:49:31.948328+0700","flow_id":1729415172239252,"in_iface":"eno5","event_type":"fileinfo","vlan":[34],"src_ip":"171.244.149.214","src_port":80,"dest_ip":"154.222.7.200","dest_port":13916,"proto":"TCP","http":{"http_port":0,"url":"/libhtp::request_uri_not_seen","http_content_type":"application/json","status":200,"length":115},"app_proto":"http","fileinfo":{"filename":"/libhtp::request_uri_not_seen","sid":[],"magic":"UTF-8 Unicode text, with no line terminators","gaps":false,"state":"CLOSED","md5":"ab625c2b53ba355fcdd4e3788fa78a8d","sha1":"b9f2afa301010e3f851cded7a88c3f173510f428","sha256":"8f29b979a91dd910baca621c619da5faa4f183704797b9b2dfede68fe06c5b52","stored":false,"size":106,"tx_id":39},"ether":{"src_mac":"78:ba:f9:27:4f:b2","dest_mac":"ec:9b:8b:65:fb:83"}}

These are sample events I have, and I saw a lot of event like these appeared when I monitored the eve.json file. I tried to capture the live traffic, replayed with both Suricata and tcpdump and the message didn’t appear. I think it may related to some performance issues, maybe in Suricata or libhtp.
I hope I can get some proper explainations or some potential reasons that lead to this message.

Hope to get a reply, thank you.
Thong

Hi,

please update to the most recent version please to make sure it’s still a valid issue with 6.0.8

Hi Andreas, thank you for your response.
Of course I thought about upgrading to newer versions since I saw a lot of performance issues got fixed in the release notes. However, as I mentioned, I am currently running on production so that it may be a little bit challenging for me to upgrade Suricata.
Can you tell me the potential reasons that cause this issue, so that I can reduce it as much as possible.
Thank you.

Especially for production you should keep in mind that we released several security fixes so upgrade is highly recommended.
There have been several fixes and updates for libhtp as well (0.5.41 is the current one). So your issue might be gone with the upgrade. If not we can debug further, for that we would also need to know the config file, how it’s built and running. Ideally it’s reproduced with a pcap as well.

Alright, I think upgrading Suricata version is the best solution for me now.
Thank you.

have you solved it? Can you tell me the potential reasons that cause this issue, so that I can reduce it as much as possible