cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Protocol anomaly signal illustration
Annotator proto

Protocol anomaly

Request structure or protocol-level signals deviate from typical browser HTTP traffic.

Attack family · Protocol fuzzing and non-browser request crafting Phase · Reconnaissance and parser abuse Risk · Medium to high
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Malformed HTTP structure and protocol-layer irregularities
  • Header formatting and version anomalies
  • Non-browser request framing that deviates from ordinary traffic
Logic
  • The annotator emits multiple protocol findings when one request breaks several expectations.
  • It is aimed at fuzzers, scanners, and custom clients rather than polished browsers.
  • Signals are sanitized before storage so unusual bytes do not break downstream systems.
Attack Family
Protocol fuzzing and non-browser request crafting
Phase · Reconnaissance and parser abuse Risk · Medium to high
Odd protocol structure often means the client is testing the parsing stack itself, not just a page. That puts reverse proxies, load balancers, WAFs, and the application in the same blast radius.
Damage Patterns
  • Malformed framing can uncover differences between intermediaries and backend services.
  • Protocol anomalies can lead to cache confusion, request desync, bypass behavior, or outright parser crashes.
Incident Lore
  • Many serious web edge incidents have come from disagreement between layers, not from one obviously dangerous payload.
  • Custom clients and fuzzers often announce themselves first through structure before the operator knows which parser weakness is reachable.
How To Read It
This tells you the request was structurally odd at the HTTP layer, not just suspicious in its content.
Defender Takeaway
This signal belongs to the request path itself. Look at proxies, gateways, and backend parsing together, not in isolation.
Catalog Definition
Flags anomalies at the HTTP/protocol layer such as malformed request structure, unusual header formatting/order, invalid versions, or other indicators that the client is not a standard web browser. Useful for spotting scanners, fuzzers, and custom tooling, and for explaining “nonstandard client behavior” in reports.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
3346
Latest sample
Apr 13, 2026 • 00:57
Top rules
proto:bad_percent_encoding · 6 proto:http2_preface_artifact · 4
Top requester orgs
Censys Inc · 2 Cloud Hosting Solutions, Limited · 1 Cloudie Limited · 1
Severity mix
12 · 6 10 · 4
Method mix
POST · 6 PRI · 4
POST 400 12
Apr 13, 2026 • 00:57
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 144.31.194.61 Subnet 144.31.194.0/24 Org Cloud Hosting Solutions, Limited Country Germany Rule proto:bad_percent_encoding
PRI 400 10
Apr 12, 2026 • 23:00
*
HTTP/2 preface artifact (PRI) observed
IP 66.132.172.203 Subnet 66.132.172.0/24 Org Censys Inc Country United States Rule proto:http2_preface_artifact
POST 400 12
Apr 12, 2026 • 16:19
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 103.39.109.165 Subnet 103.39.109.0/24 Org Cloudie Limited Country Hong Kong Rule proto:bad_percent_encoding
PRI 400 10
Apr 12, 2026 • 16:15
*
HTTP/2 preface artifact (PRI) observed
IP 199.45.155.92 Subnet 199.45.155.0/24 Org Censys, Inc. Country Hong Kong Rule proto:http2_preface_artifact
POST 400 12
Apr 12, 2026 • 14:16
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 43.142.87.72 Subnet 43.142.87.0/24 Org Tencent Cloud Computing (Beijing) Co., Ltd Country China Rule proto:bad_percent_encoding
POST 400 12
Apr 12, 2026 • 11:17
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 89.44.137.152 Subnet 89.44.137.0/24 Org Romarg SRL Country Romania Rule proto:bad_percent_encoding
POST 400 12
Apr 12, 2026 • 10:43
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 147.45.37.207 Subnet 147.45.37.0/24 Org New Hosting Technologies LLC Country United States Rule proto:bad_percent_encoding
PRI 400 10
Apr 12, 2026 • 06:07
*
HTTP/2 preface artifact (PRI) observed
IP 66.132.224.236 Subnet 66.132.224.0/24 Org Censys Inc Country United States Rule proto:http2_preface_artifact
POST 400 12
Apr 12, 2026 • 04:34
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Malformed percent-encoding in request target
IP 103.40.61.98 Subnet 103.40.61.0/24 Org Gleam Worldwide Services Pvt Ltd. Country India Rule proto:bad_percent_encoding
PRI 400 10
Apr 12, 2026 • 02:48
*
HTTP/2 preface artifact (PRI) observed
IP 66.132.186.195 Subnet 66.132.186.0/24 Org Censys, Inc Country United States Rule proto:http2_preface_artifact