{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T09:43:42Z","timestamp":1762854222016,"version":"build-2065373602"},"reference-count":20,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T00:00:00Z","timestamp":1762819200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Artificial Intelligence National Laboratory: European Union project","award":["RRF-2.3.1-21-2022-00004"],"award-info":[{"award-number":["RRF-2.3.1-21-2022-00004"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Data"],"abstract":"<jats:p>We present a real-world dataset capturing thirty consecutive days of malicious HTTP traffic filtered and blocked by the OWASP ModSecurity Web Application Firewall (WAF) on a live production server. Each entry corresponds to a request that triggered one or more rules in the OWASP Core Rule Set (CRS), resulting in its inclusion in the audit log due to suspected exploitation attempts. The dataset includes attack categories such as SQL injection, cross-site scripting (XSS), local file inclusion, scanner probes, and various malformed or evasive input forms. The data has been carefully anonymized to protect sensitive information while preserving critical structural tags, including request method, URI, triggered rule IDs, request headers, and user-agent strings. This dataset provides a real-world resource for cybersecurity researchers, particularly those developing or evaluating intrusion detection systems (IDSs), WAF rule tuning strategies, anomaly detection algorithms, and adversarial machine learning models. The dataset also allows performance testing of threat prevention pipelines. By making this dataset publicly available, we aim to support reproducible research in web security, encourage benchmarking of detection techniques under real-world conditions, and contribute insight into the nature of contemporary web-based threats observed in an uncontrolled environment.<\/jats:p>","DOI":"10.3390\/data10110186","type":"journal-article","created":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T08:57:41Z","timestamp":1762851461000},"page":"186","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Thirty-Day Dataset of Malicious HTTP Requests Blocked by OWASP ModSecurity on a Production Web Server"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1760-468X","authenticated-orcid":false,"given":"Geza","family":"Lucz","sequence":"first","affiliation":[{"name":"Department of Automation and Applied Informatics, Faculty of Electrical Engineering and Informatics, Budapest University of Technology and Economics, M\u0171egyetem rkp. 3., H-1111 Budapest, Hungary"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-6669-2660","authenticated-orcid":false,"given":"Bertalan","family":"Forstner","sequence":"additional","affiliation":[{"name":"Department of Automation and Applied Informatics, Faculty of Electrical Engineering and Informatics, Budapest University of Technology and Economics, M\u0171egyetem rkp. 3., H-1111 Budapest, Hungary"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,11,11]]},"reference":[{"key":"ref_1","unstructured":"ModSecurity (2025, September 22). ModSecurity Open-Source Web Application Firewall. Available online: https:\/\/modsecurity.org."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Bilic, I., Josi\u0107, K., Pranic, D., and Ribaric, S. (2024, January 24\u201325). Web application firewalls (WAFs) in protecting software. Proceedings of the 35th DAAAM International Symposium on Intelligent Manufacturing and Automation, Vienna, Austria.","DOI":"10.2507\/35th.daaam.proceedings.042"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1007\/s10207-024-00914-z","article-title":"DevSecOps practices and tools","volume":"24","author":"Prates","year":"2025","journal-title":"Int. J. Inf. Secur."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Dehlaghi-Ghadim, A., Helali Moghadam, M., Balador, A., and Hansson, H. (2023). ICS-Flow: An anomaly detection dataset for industrial control systems. arXiv.","DOI":"10.1109\/ACCESS.2023.3320928"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Goldschmidt, P., and Chud\u00e1, D. (2025). Network intrusion datasets: A survey, limitations, and best practices. arXiv.","DOI":"10.1016\/j.cose.2025.104510"},{"key":"ref_6","unstructured":"OWASP Core Rule Set Project (2025, September 22). OWASP ModSecurity Core Rule Set. Available online: https:\/\/coreruleset.org."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Moustafa, N., and Slay, J. (2015, January 10\u201312). UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, ACT, Australia.","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2025, September 22). CICIDS2017 Dataset. Canadian Institute for Cybersecurity, University of New Brunswick. Available online: https:\/\/www.unb.ca\/cic\/datasets\/ids-2017.html.","DOI":"10.13052\/jsn2445-9739.2017.009"},{"key":"ref_9","unstructured":"Tavallaee, M., Stakhanova, N., and Ghorbani, A.A. (2025, September 22). HTTP CSIC 2010 Dataset [Dataset]. Information Security Institute, Spanish Research Council (CSIC). Available online: https:\/\/www.kaggle.com\/datasets\/ispangler\/csic-2010-web-application-attacks."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"\u015een, \u00d6. (2023). Benchmark Evaluation of Anomaly-Based Intrusion Detection Systems. arXiv.","DOI":"10.1109\/ISGTEUROPE56780.2023.10407262"},{"key":"ref_11","unstructured":"Lucz, G. (2025, September 22). A Thirty-Day Dataset of Malicious HTTP Requests Blocked by OWASP ModSecurity on a Production Web Server [Data Set]. Zenodo. Available online: https:\/\/zenodo.org\/records\/17178461."},{"key":"ref_12","unstructured":"Kasturi, G., Zhao, P., Alowaisheq, E., Kotipalli, S., and Chen, Z. (2022, January 10\u201312). A large-scale study of malicious plugins in WordPress. Proceedings of the 31st USENIX Security Symposium (USENIX Security 2022), Boston, MA, USA. Available online: https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/kasturi."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Mohamed Mohideen, M.A., Nadeem, M.S., Hardy, J., Ali, H., Tariq, U.U., Sabrina, F., Waqar, M., and Ahmed, S. (2024). Behind the Code: Identifying Zero-Day Exploits in WordPress. Futur. Internet, 16.","DOI":"10.3390\/fi16070256"},{"key":"ref_14","unstructured":"Thomas-Reynolds, D., and Butakov, S. (2020, January 12). Factors affecting the performance of web application firewall. Proceedings of the 2020 Workshop on Information Security and Privacy (WISP 2020), Virtual. Available online: https:\/\/aisel.aisnet.org\/wisp2020\/8."},{"key":"ref_15","unstructured":"glucz (2025, September 22). Glucz\/OWASP-Server-Configuration: Zenodo Release (v1.1). Zenodo. Available online: https:\/\/zenodo.org\/records\/17188106."},{"key":"ref_16","unstructured":"Antonov, A., and Sidorov, S. (2024). Web application firewalls: Comparative evaluation of ModSecurity, NAXSI, and Shadow Daemon. arXiv."},{"key":"ref_17","unstructured":"OWASP ModSecurity Project (2025, September 22). ModSecurity 2 Data Formats. GitHub. Available online: https:\/\/github.com\/owasp-modsecurity\/ModSecurity\/wiki\/ModSecurity-2-Data-Formats."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Sarmin, S., Sarkar, S., Wang, Y., and Mohammed, N. (2025). Synthetic data: Revisiting the privacy\u2013utility trade-off. arXiv.","DOI":"10.1007\/s10207-025-01072-6"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Livadariu, I., Dainotti, A., Jonker, M., Stiller, B., and Elmokashfi, A. (2020, January 30\u201331). On the accuracy of country-level IP geolocation. Proceedings of the Applied Networking Research Workshop (ANRW 2020), Virtual.","DOI":"10.1145\/3404868.3406664"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Drivas, I., Karampelas, P., Anagnostopoulos, I., and Verginadis, Y. (2021). Content management systems performance and website speed. Information, 12.","DOI":"10.3390\/info12070259"}],"container-title":["Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2306-5729\/10\/11\/186\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,11]],"date-time":"2025-11-11T09:40:09Z","timestamp":1762854009000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2306-5729\/10\/11\/186"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,11]]},"references-count":20,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2025,11]]}},"alternative-id":["data10110186"],"URL":"https:\/\/doi.org\/10.3390\/data10110186","relation":{},"ISSN":["2306-5729"],"issn-type":[{"value":"2306-5729","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,11]]}}}