This is Suricata version 6.0.4 RELEASE
RHEL 7.5 (kernel 3.10.0)
suricata use in IDS.
The problem is in flow parsing, when tx_id is greater than a certain value, the eve.log has output
... "path":"/libhtp::request_uri_not_seen" ....
I think it may be caused by the data exceeding the cache size or the flow timeout.
And in the log, when tx_id is 0, timestamp is 10:03:34, the parsing is normal.
When tx_id is 12, timestamp is 10:03:56, the parsing is normal.
When tx_id is 13, timestamp is 10:03:57, the parsing is abnormal.
When tx_id is greater than 13, the parsing is abnormal.
Hope to get a reply, thank you!
Is it possible to share (privately works too) a pcap ?
It’s hard to share a pcap, for that I don’t know the flow’s characteristics, so I don’t know how to cap it in to pcap.
By the way, its not all the log show request_uri_not_seen, just in flow and tx_id greater than a certain value. The traffic is huge, and there are many kind of protocol.
The problem flow log look like:
http/1.1 protocol POST, with 21.9KB req_body_raw encoded in base64.
Can you tell me the configuration that affects the flow analysis?