cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
User-Agent anomaly signal illustration
Annotator ua

User-Agent anomaly

User-Agent signals look missing, inconsistent, or indicative of non-browser tooling.

How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Missing, empty, or malformed user-agent values
  • Scanner, CLI, library, and headless browser signatures
  • Spoofing and improbable token combinations inside the user-agent string
Logic
  • The annotator escalates from weak anomalies to stronger tool signatures.
  • Known scanner tokens and headless frameworks carry stronger weight than generic short user-agents.
  • Output is best read together with scan velocity, method anomalies, and auth probing.
How To Read It
A malformed or tooling-oriented user-agent is a powerful supporting signal, but rarely the whole story by itself.
Catalog Definition
Flags anomalous User-Agent behavior such as missing UA, obviously synthetic UA strings, improbable combinations, or frequent UA switching. This supports distinguishing normal browsing from automation and tooling. Some legitimate privacy tools, enterprise stacks, and monitoring agents can trigger this, so interpret alongside other signals (velocity, endpoint diversity, error rates).

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W13
Lookback
30 days
Total matched
21472
Latest sample
Mar 01, 2026 • 23:37
Top rules
ua:very_short · 8 ua:truncated_mozilla · 1 ua:cli:wget · 1
Top requester orgs
Intelligence Hosting LLC · 3 DataWagon LLC · 3 Contabo GmbH · 2
Severity mix
8 · 9 14 · 1
Method mix
GET · 7 POST · 2 \X16\X03\X01\X01 · 1
GET 301 8
Mar 01, 2026 • 23:37
/bin/
Very short User-Agent string
IP 204.76.203.18 Subnet 204.76.203.0/24 Org Intelligence Hosting LLC Country The Netherlands Rule ua:very_short
POST 400 8
Mar 01, 2026 • 23:05
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
Very short User-Agent string
IP 77.237.243.239 Subnet 77.237.243.0/24 Org Contabo GmbH Country France Rule ua:very_short
POST 400 8
Mar 01, 2026 • 23:05
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
Very short User-Agent string
IP 77.237.243.239 Subnet 77.237.243.0/24 Org Contabo GmbH Country France Rule ua:very_short
GET 301 8
Mar 01, 2026 • 22:36
/
Truncated Mozilla User-Agent token
IP 45.153.34.187 Subnet 45.153.34.0/24 Org VMHeaven.io Country Netherlands Rule ua:truncated_mozilla
GET 301 8
Mar 01, 2026 • 22:30
/bin/
Very short User-Agent string
IP 204.76.203.18 Subnet 204.76.203.0/24 Org Intelligence Hosting LLC Country The Netherlands Rule ua:very_short
GET 301 14
Mar 01, 2026 • 22:19
//synduweb.sgp1.digitaloceanspaces.com/assets/homepage/js/featured_entities_carousel.js
CLI HTTP client user-agent: wget
IP 149.50.97.212 Subnet 149.50.97.0/24 Org Meverywhere sp.zo.o Country Poland Rule ua:cli:wget
GET 301 8
Mar 01, 2026 • 22:17
/bins/
Very short User-Agent string
IP 204.76.203.18 Subnet 204.76.203.0/24 Org Intelligence Hosting LLC Country The Netherlands Rule ua:very_short
GET 400 8
Mar 01, 2026 • 21:46
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Very short User-Agent string
IP 104.192.2.154 Subnet 104.192.2.0/24 Org DataWagon LLC Country United States Rule ua:very_short
\X16\X03\X01\X01 400 8
Mar 01, 2026 • 21:46
\xF8^\xCE\xD2Q-\xE1\xBET\xFE\xA9\xB9OPen\x80\xA7\x83X%W\xAF
Very short User-Agent string
IP 104.192.2.154 Subnet 104.192.2.0/24 Org DataWagon LLC Country United States Rule ua:very_short
GET 400 8
Mar 01, 2026 • 21:46
/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
Very short User-Agent string
IP 104.192.2.154 Subnet 104.192.2.0/24 Org DataWagon LLC Country United States Rule ua:very_short