Seeing a lot of /libhtp::request_uri_not_seen messages

darrinh · October 12, 2021, 1:04am

Seeing a lot of libht messages:

signature":“SURICATA HTTP unable to match response to request”,“category”:“Generic Protocol Command Decode”,“severity”:3},“http”:{“http_port”:0,“url”:“/libhtp::request_uri_not_seen”,“http_content_type”:“application/x-javascript”,“status”:200,“length”:2266}

what does ‘/libhtp::request_uri_not_seen’ indicate?

thanks
Darrin

jmtaylor90 · October 12, 2021, 7:07pm

Hi Darrin!

In my experience this has been related to packets not being seen by suricata/libhtp. The packets not being seen by suricata/libhtp can be for a number of reasons but the entry you are seeing is basically libhtp saying it doesn’t have the information for that json field.

Hope that helps,

JT

darrinh · October 12, 2021, 8:55pm

Thanks JT, that makes sense in our context as we are using traffic mirroring and are only allowing a subset of traffic to our suricata appliance.

cheers
Darrin

Topic		Replies	Views
Suricata Rules HTTP Header not working Rules	3	374	October 31, 2023
Suricata rules & the proxy protocol Help	4	1194	May 31, 2021
Need help with HTTP Signatures Help community , rules	4	180	November 18, 2023
Writing a signature for multiple conditions Rules	3	902	November 25, 2021
Help with HTTP events Help suricata	11	411	February 28, 2023

Seeing a lot of /libhtp::request_uri_not_seen messages

Related Topics