Seeing a lot of /libhtp::request_uri_not_seen messages

Seeing a lot of libht messages:

signature":“SURICATA HTTP unable to match response to request”,“category”:“Generic Protocol Command Decode”,“severity”:3},“http”:{“http_port”:0,“url”:"/libhtp::request_uri_not_seen",“http_content_type”:“application/x-javascript”,“status”:200,“length”:2266}

what does ‘/libhtp::request_uri_not_seen’ indicate?


Hi Darrin!

In my experience this has been related to packets not being seen by suricata/libhtp. The packets not being seen by suricata/libhtp can be for a number of reasons but the entry you are seeing is basically libhtp saying it doesn’t have the information for that json field.

Hope that helps,


Thanks JT, that makes sense in our context as we are using traffic mirroring and are only allowing a subset of traffic to our suricata appliance.