Seeing a lot of /libhtp::request_uri_not_seen messages

darrinh · October 12, 2021, 1:04am

Seeing a lot of libht messages:

signature":“SURICATA HTTP unable to match response to request”,“category”:“Generic Protocol Command Decode”,“severity”:3},“http”:{“http_port”:0,“url”:“/libhtp::request_uri_not_seen”,“http_content_type”:“application/x-javascript”,“status”:200,“length”:2266}

what does ‘/libhtp::request_uri_not_seen’ indicate?

thanks
Darrin

jmtaylor90 · October 12, 2021, 7:07pm

Hi Darrin!

In my experience this has been related to packets not being seen by suricata/libhtp. The packets not being seen by suricata/libhtp can be for a number of reasons but the entry you are seeing is basically libhtp saying it doesn’t have the information for that json field.

Hope that helps,

JT

darrinh · October 12, 2021, 8:55pm

Thanks JT, that makes sense in our context as we are using traffic mirroring and are only allowing a subset of traffic to our suricata appliance.

cheers
Darrin

Topic		Replies	Views
/libhtp::request_uri_not_seen in Suricata 6.0.2 Help	5	604	November 7, 2024
Libhtp::request_uri_not_seen Help suricata	18	1530	April 5, 2022
Lots of /libhttp::request_uri_not_seen Help suricata	10	80	December 30, 2024
Suricata flow parsing see a lot "libhtp:request_uri_not_seen" Help community	2	900	January 18, 2022
SURICATA HTTP unable to match response to request Rules	1	3278	November 1, 2021

Seeing a lot of /libhtp::request_uri_not_seen messages

Related topics