cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
HTTP method anomaly signal illustration
Annotator method

HTTP method anomaly

Unusual or unexpected HTTP methods observed for the target endpoints.

How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Unexpected HTTP verbs for the target surface
  • Method switching that looks unlike normal browsing
  • Administrative or probing verbs used against ordinary pages
Logic
  • The annotator compares the observed verb against expected web usage patterns.
  • It is useful around 405, 403, and admin-like endpoints.
  • Strength comes from pairing method oddity with path, status, and velocity.
How To Read It
Interpret this as a request-intent clue: the client is using a verb the page probably did not expect.
Catalog Definition
Flags requests using HTTP methods that are atypical for the application or for specific endpoints (e.g., unexpected verbs, method switching across retries, or methods inconsistent with normal browsing). This can reflect probing, misuse attempts, or misconfigured clients. Interpret with endpoint intent (browser page vs API vs upload) and response patterns (405/403/400).

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W13
Lookback
30 days
Total matched
168
Latest sample
Mar 01, 2026 • 21:46
Top rules
method:trace_or_connect · 5 method:webdav_verb · 3 method:non_rfc_token · 1
Top requester orgs
DigitalOcean, LLC · 2 Chunghwa Telecom Co. Ltd. · 2 DataWagon LLC · 1
Severity mix
8 · 5 6 · 4 10 · 1
Method mix
CONNECT · 5 PROPFIND · 3 \X16\X03\X01\X01 · 1 PRI · 1
\X16\X03\X01\X01 400 10
Mar 01, 2026 • 21:46
\xF8^\xCE\xD2Q-\xE1\xBET\xFE\xA9\xB9OPen\x80\xA7\x83X%W\xAF
Non-RFC HTTP method token
IP 104.192.2.154 Subnet 104.192.2.0/24 Org DataWagon LLC Country United States Rule method:non_rfc_token
CONNECT 400 8
Mar 01, 2026 • 21:21
google.com:443
Disallowed method: CONNECT
IP 152.42.200.86 Subnet 152.42.200.0/24 Org DigitalOcean, LLC Country Singapore Rule method:trace_or_connect
CONNECT 400 8
Mar 01, 2026 • 20:16
google.com:443
Disallowed method: CONNECT
IP 176.65.148.19 Subnet 176.65.148.0/24 Org Pfcloud UG Country Netherlands Rule method:trace_or_connect
PROPFIND 403 6
Mar 01, 2026 • 18:27
/
WebDAV verb observed: PROPFIND
IP 176.65.134.20 Subnet 176.65.134.0/24 Country Slovenia Rule method:webdav_verb
PROPFIND 403 6
Mar 01, 2026 • 18:07
/
WebDAV verb observed: PROPFIND
IP 176.65.134.20 Subnet 176.65.134.0/24 Country Slovenia Rule method:webdav_verb
PROPFIND 403 6
Mar 01, 2026 • 17:33
/
WebDAV verb observed: PROPFIND
IP 176.65.134.20 Subnet 176.65.134.0/24 Country Slovenia Rule method:webdav_verb
CONNECT 400 8
Mar 01, 2026 • 16:03
www.baidu.com:443
Disallowed method: CONNECT
IP 114.25.100.1 Subnet 114.25.100.0/24 Org Chunghwa Telecom Co. Ltd. Country Taiwan Rule method:trace_or_connect
CONNECT 400 8
Mar 01, 2026 • 16:03
www.baidu.com:443
Disallowed method: CONNECT
IP 114.25.100.1 Subnet 114.25.100.0/24 Org Chunghwa Telecom Co. Ltd. Country Taiwan Rule method:trace_or_connect
PRI 400 6
Mar 01, 2026 • 15:50
*
HTTP/2 preface-like request line
IP 206.168.34.124 Subnet 206.168.34.0/24 Org Censys, Inc. Country United States Rule method:http2_preface
CONNECT 400 8
Mar 01, 2026 • 12:59
google.com:443
Disallowed method: CONNECT
IP 152.42.200.86 Subnet 152.42.200.0/24 Org DigitalOcean, LLC Country Singapore Rule method:trace_or_connect