A Thirty-Day Dataset of Malicious HTTP Requests Blocked by OWASP ModSecurity on a Production Web Server

We present a real-world dataset capturing thirty consecutive days of malicious HTTP traffic filtered and blocked by the OWASP ModSecurity Web Application Firewall (WAF) on a live production server. Each entry corresponds to a request that triggered one or more rules in the OWASP Core Rule Set (CRS),...

Full description

Saved in:
Bibliographic Details
Published in:Data (Basel) Vol. 10; no. 11; p. 186
Main Authors: Lucz, Geza, Forstner, Bertalan
Format: Journal Article
Language:English
Published: Basel MDPI AG 01.11.2025
Subjects:
Anomalies
Applications programs
Archives & records
Audits
Customer feedback
Cybersecurity
Data collection
Data security
Datasets
Headers
HTTP request filtering
Internet software
intrusion detection dataset
Intrusion detection systems
Machine learning
Metadata
ModSecurity
OWASP Core Rule Set (CRS)
Payloads
real-world dataset
Servers
Web Application Firewall (WAF)
Web applications
ISSN:2306-5729, 2306-5729
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract We present a real-world dataset capturing thirty consecutive days of malicious HTTP traffic filtered and blocked by the OWASP ModSecurity Web Application Firewall (WAF) on a live production server. Each entry corresponds to a request that triggered one or more rules in the OWASP Core Rule Set (CRS), resulting in its inclusion in the audit log due to suspected exploitation attempts. The dataset includes attack categories such as SQL injection, cross-site scripting (XSS), local file inclusion, scanner probes, and various malformed or evasive input forms. The data has been carefully anonymized to protect sensitive information while preserving critical structural tags, including request method, URI, triggered rule IDs, request headers, and user-agent strings. This dataset provides a real-world resource for cybersecurity researchers, particularly those developing or evaluating intrusion detection systems (IDSs), WAF rule tuning strategies, anomaly detection algorithms, and adversarial machine learning models. The dataset also allows performance testing of threat prevention pipelines. By making this dataset publicly available, we aim to support reproducible research in web security, encourage benchmarking of detection techniques under real-world conditions, and contribute insight into the nature of contemporary web-based threats observed in an uncontrolled environment.
AbstractList We present a real-world dataset capturing thirty consecutive days of malicious HTTP traffic filtered and blocked by the OWASP ModSecurity Web Application Firewall (WAF) on a live production server. Each entry corresponds to a request that triggered one or more rules in the OWASP Core Rule Set (CRS), resulting in its inclusion in the audit log due to suspected exploitation attempts. The dataset includes attack categories such as SQL injection, cross-site scripting (XSS), local file inclusion, scanner probes, and various malformed or evasive input forms. The data has been carefully anonymized to protect sensitive information while preserving critical structural tags, including request method, URI, triggered rule IDs, request headers, and user-agent strings. This dataset provides a real-world resource for cybersecurity researchers, particularly those developing or evaluating intrusion detection systems (IDSs), WAF rule tuning strategies, anomaly detection algorithms, and adversarial machine learning models. The dataset also allows performance testing of threat prevention pipelines. By making this dataset publicly available, we aim to support reproducible research in web security, encourage benchmarking of detection techniques under real-world conditions, and contribute insight into the nature of contemporary web-based threats observed in an uncontrolled environment.
Audience Academic
Author Forstner, Bertalan
Lucz, Geza
Author_xml – sequence: 1
  givenname: Geza
  orcidid: 0000-0003-1760-468X
  surname: Lucz
  fullname: Lucz, Geza
– sequence: 2
  givenname: Bertalan
  orcidid: 0009-0003-6669-2660
  surname: Forstner
  fullname: Forstner, Bertalan
BookMark eNptkV9rFDEUxYNUsNa--QECvjo1_yfzuLZqCy1d3JU-hkxys2bdndRkRphvb9otWkESyM3l3F9yOK_R0ZAGQOgtJWecd-SDt6OlhNat1Qt0zDhRjWxZd_SsfoVOS9kSQhgTUjF9jDYLvP4e8zg3F3bGF5VRYMQp4Bu7iy6mqeDL9XqJv8LPCcpY8Mddcj_A437Gt3eL1RLfJL8CN-U4zjgN2OJlTn5yY6yXO-jxCvIvyG_Qy2B3BU6fzhP07fOn9fllc3375ep8cd04xpVqhPMyOKKJoyH0gvfCSio72inOOg_AwOlOBeV7L22rW956K3qorpVyUnh-gq4OXJ_s1tznuLd5NslG89hIeWNsHqPbgfGceRa0ZlJo4V2noSeiY7oXQddnZWW9O7Duc3p0b7ZpykP9vuGslZJ0XLG_qo2t0DiENGbr9rE4s9BKKkqYpFV19h9VXR720dUkQ6z9fwbeHwZcTqVkCH_MUGIeAjfPA-e_ATaQm9s
Cites_doi 10.1007/s10207-025-01072-6
10.1109/MilCIS.2015.7348942
10.1109/ACCESS.2023.3320928
10.1016/j.cose.2025.104510
10.1007/s10207-024-00914-z
10.2507/35th.daaam.proceedings.042
10.1145/3404868.3406664
10.3390/fi16070256
10.3390/info12070259
10.13052/jsn2445-9739.2017.009
10.1109/ISGTEUROPE56780.2023.10407262
ContentType Journal Article
Copyright COPYRIGHT 2025 MDPI AG
2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Copyright_xml – notice: COPYRIGHT 2025 MDPI AG
– notice: 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
DBID AAYXX
CITATION
8FE
8FG
ABUWG
AFKRA
ARAPS
AZQEC
BENPR
BGLVJ
CCPQU
DWQXO
HCIFZ
P5Z
P62
PHGZM
PHGZT
PIMPY
PKEHL
PQEST
PQGLB
PQQKQ
PQUKI
PRINS
DOA
DOI 10.3390/data10110186
DatabaseName CrossRef
ProQuest SciTech Collection
ProQuest Technology Collection
ProQuest Central (Alumni)
ProQuest Central UK/Ireland
Advanced Technologies & Computer Science Collection
ProQuest Central Essentials
ProQuest Central
Technology collection
ProQuest One
ProQuest Central
SciTech Premium Collection
Advanced Technologies & Aerospace Database
ProQuest Advanced Technologies & Aerospace Collection
ProQuest Central Premium
ProQuest One Academic
ProQuest Publicly Available Content
ProQuest One Academic Middle East (New)
ProQuest One Academic Eastern Edition (DO NOT USE)
ProQuest One Applied & Life Sciences
ProQuest One Academic (retired)
ProQuest One Academic UKI Edition
ProQuest Central China
DOAJ Directory of Open Access Journals
DatabaseTitle CrossRef
Publicly Available Content Database
Advanced Technologies & Aerospace Collection
Technology Collection
ProQuest One Academic Middle East (New)
ProQuest Advanced Technologies & Aerospace Collection
ProQuest Central Essentials
ProQuest One Academic Eastern Edition
ProQuest Central (Alumni Edition)
SciTech Premium Collection
ProQuest One Community College
ProQuest Technology Collection
ProQuest SciTech Collection
ProQuest Central China
ProQuest Central
Advanced Technologies & Aerospace Database
ProQuest One Applied & Life Sciences
ProQuest One Academic UKI Edition
ProQuest Central Korea
ProQuest Central (New)
ProQuest One Academic
ProQuest One Academic (New)
DatabaseTitleList

Publicly Available Content Database
CrossRef
Database_xml – sequence: 1
  dbid: DOA
  name: DOAJ Directory of Open Access Journals
  url: https://www.doaj.org/
  sourceTypes: Open Website
– sequence: 2
  dbid: PIMPY
  name: Publicly Available Content Database
  url: http://search.proquest.com/publiccontent
  sourceTypes: Aggregation Database
DeliveryMethod fulltext_linktorsrc
Discipline Sciences (General)
EISSN 2306-5729
ExternalDocumentID oai_doaj_org_article_d32d2f8825484dc98eb04928b4f84a55
A865610251
10_3390_data10110186
GroupedDBID 8FE
8FG
AADQD
AAYXX
ADBBV
ADMLS
AFFHD
AFKRA
AFZYC
ALMA_UNASSIGNED_HOLDINGS
ARAPS
ARCSS
BCNDV
BENPR
BGLVJ
CCPQU
CITATION
GROUPED_DOAJ
HCIFZ
IAO
ICD
ITC
MODMG
M~E
P62
PHGZM
PHGZT
PIMPY
PQGLB
PROAC
AGGLG
ABUWG
AZQEC
DWQXO
PKEHL
PQEST
PQQKQ
PQUKI
PRINS
ID FETCH-LOGICAL-c2366-4cd5fc080c1ffb43b4a5159196329dee2ec896f6dbd5a78737da4be11066c54d3
IEDL.DBID DOA
ISSN 2306-5729
IngestDate Mon Dec 01 19:28:35 EST 2025
Thu Nov 27 00:14:15 EST 2025
Wed Dec 10 10:22:52 EST 2025
Tue Dec 02 03:53:28 EST 2025
Thu Nov 13 04:23:02 EST 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 11
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c2366-4cd5fc080c1ffb43b4a5159196329dee2ec896f6dbd5a78737da4be11066c54d3
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0003-1760-468X
0009-0003-6669-2660
OpenAccessLink https://doaj.org/article/d32d2f8825484dc98eb04928b4f84a55
PQID 3275509362
PQPubID 2055419
ParticipantIDs doaj_primary_oai_doaj_org_article_d32d2f8825484dc98eb04928b4f84a55
proquest_journals_3275509362
gale_infotracmisc_A865610251
gale_infotracacademiconefile_A865610251
crossref_primary_10_3390_data10110186
PublicationCentury 2000
PublicationDate 20251101
PublicationDateYYYYMMDD 2025-11-01
PublicationDate_xml – month: 11
  year: 2025
  text: 20251101
  day: 01
PublicationDecade 2020
PublicationPlace Basel
PublicationPlace_xml – name: Basel
PublicationTitle Data (Basel)
PublicationYear 2025
Publisher MDPI AG
Publisher_xml – name: MDPI AG
References ref_14
ref_13
ref_12
ref_11
ref_10
ref_20
Prates (ref_3) 2025; 24
ref_1
ref_2
ref_19
ref_18
ref_17
ref_16
ref_15
ref_9
ref_8
ref_5
ref_4
ref_7
ref_6
References_xml – ident: ref_6
– ident: ref_9
– ident: ref_18
  doi: 10.1007/s10207-025-01072-6
– ident: ref_7
  doi: 10.1109/MilCIS.2015.7348942
– ident: ref_4
  doi: 10.1109/ACCESS.2023.3320928
– ident: ref_5
  doi: 10.1016/j.cose.2025.104510
– volume: 24
  start-page: 11
  year: 2025
  ident: ref_3
  article-title: DevSecOps practices and tools
  publication-title: Int. J. Inf. Secur.
  doi: 10.1007/s10207-024-00914-z
– ident: ref_12
– ident: ref_11
– ident: ref_2
  doi: 10.2507/35th.daaam.proceedings.042
– ident: ref_19
  doi: 10.1145/3404868.3406664
– ident: ref_13
  doi: 10.3390/fi16070256
– ident: ref_16
– ident: ref_15
– ident: ref_20
  doi: 10.3390/info12070259
– ident: ref_8
  doi: 10.13052/jsn2445-9739.2017.009
– ident: ref_14
– ident: ref_17
– ident: ref_1
– ident: ref_10
  doi: 10.1109/ISGTEUROPE56780.2023.10407262
SSID ssj0002245628
Score 2.3077707
Snippet We present a real-world dataset capturing thirty consecutive days of malicious HTTP traffic filtered and blocked by the OWASP ModSecurity Web Application...
SourceID doaj
proquest
gale
crossref
SourceType Open Website
Aggregation Database
Index Database
StartPage 186
SubjectTerms Anomalies
Applications programs
Archives & records
Audits
Customer feedback
Cybersecurity
Data collection
Data security
Datasets
Headers
HTTP request filtering
Internet software
intrusion detection dataset
Intrusion detection systems
Machine learning
Metadata
ModSecurity
OWASP Core Rule Set (CRS)
Payloads
real-world dataset
Servers
Web Application Firewall (WAF)
Web applications
SummonAdditionalLinks – databaseName: Advanced Technologies & Aerospace Database
  dbid: P5Z
  link: http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwpV1Lb9QwELagcOACLQ91oSAfQMAh6sZ2vM4JbVuqHmiJ6EIrLpafpULalCRU2n_fGa-3tAe4cI19cPL5m4cz_oaQ14YFV9lSFaGMkKAIY5BzdWF4HJvS1dwmdf5vnyZHR-r0tG7ygVufyypXNjEZat86PCPf5mwCwXQN9vbDxa8Cu0bh39XcQuMuuYcqCdi6oam-X5-xMPyrx9Sy3p1Ddr-dyi7R5ZV4efqGJ0qC_X8zy8nX7D_631Wuk4c5yqTT5bbYIHfC_DHZyDzu6bssNv3-CTmb0tmP825YFHtmQfdg4X0YaBvpIQToDgtk6cFs1tAvIS2jpzvg_X4GT-2Cfj6ZHjf0sPXHuQkebefU0GYpIguA05NgKVqj0D0lX_c_znYPitx8oXCMS1kI56uIMuSujNEKboXB0AcJy2ofAmCsahmlt74ywHo-8UbYAJ9WSlcJz5-RtXk7D5uEOoAhhEkVjfRirIzxkHRJ7sfjUAZpxYi8WQGhL5YaGxpyEwRM3wRsRHYQpes5qIydHrTdmc5E054zz6LCxFcJ72oVLCRBTFkRFbxCNSJvEWON_B0640y-hgBLRSUsPVUSQ0oI-0Zk69ZM4J27PbzaAjrzvtd_8H_-7-EX5AHDTsLpVuMWWRu63-Elue8uh_O-e5W28RXnW_oI
  priority: 102
  providerName: ProQuest
Title A Thirty-Day Dataset of Malicious HTTP Requests Blocked by OWASP ModSecurity on a Production Web Server
URI https://www.proquest.com/docview/3275509362
https://doaj.org/article/d32d2f8825484dc98eb04928b4f84a55
Volume 10
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVAON
  databaseName: DOAJ Directory of Open Access Journals
  customDbUrl:
  eissn: 2306-5729
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002245628
  issn: 2306-5729
  databaseCode: DOA
  dateStart: 20160101
  isFulltext: true
  titleUrlDefault: https://www.doaj.org/
  providerName: Directory of Open Access Journals
– providerCode: PRVHPJ
  databaseName: ROAD: Directory of Open Access Scholarly Resources
  customDbUrl:
  eissn: 2306-5729
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002245628
  issn: 2306-5729
  databaseCode: M~E
  dateStart: 20160101
  isFulltext: true
  titleUrlDefault: https://road.issn.org
  providerName: ISSN International Centre
– providerCode: PRVPQU
  databaseName: Advanced Technologies & Aerospace Database
  customDbUrl:
  eissn: 2306-5729
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002245628
  issn: 2306-5729
  databaseCode: P5Z
  dateStart: 20160601
  isFulltext: true
  titleUrlDefault: https://search.proquest.com/hightechjournals
  providerName: ProQuest
– providerCode: PRVPQU
  databaseName: ProQuest Central
  customDbUrl:
  eissn: 2306-5729
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002245628
  issn: 2306-5729
  databaseCode: BENPR
  dateStart: 20160601
  isFulltext: true
  titleUrlDefault: https://www.proquest.com/central
  providerName: ProQuest
– providerCode: PRVPQU
  databaseName: Publicly Available Content Database
  customDbUrl:
  eissn: 2306-5729
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002245628
  issn: 2306-5729
  databaseCode: PIMPY
  dateStart: 20160601
  isFulltext: true
  titleUrlDefault: http://search.proquest.com/publiccontent
  providerName: ProQuest
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1Nb9QwELVQ4cAFUT7EllL5AAIOUZPYcZzjLm1VJHaJ2oUWLpE_xlCQdlESkPbfM-OkaHtAXLjk4Fiy9Z7HMyON3zD23OTgCpvpBLKACYo0hmyuSowIqclcJWxU5__4rlws9OVlVW-1-qKasEEeeADu0Ivc50FTIqOld5UGi0Ftrq0MWpoiqpemZbWVTH2Loi4U2euh0l1gXn8YCy7J2WX0bHrLB0Wp_r9dyNHLnNxn98bwkE-Hbe2yW7B6wHZHA-z4q1El-vVD9mXKl1-v2n6THJkNP8J1O-j5OvA5RtaOKlv56XJZ8zOIC3V8hm7rO3huN_z9xfS85vO1Px-71_H1ihteD-qvyBS_AMvpGoH2Eftwcrx8c5qMXRMSlwulEul8EUg_3GUhWCksooQxC1laXnkAJEdXKihvfWHQXEXpjbSAyCjlCunFY7azWq_gCeMOUQQoi2CUl6k2xmO2pIRPU8hAWTlhL65xbH4M4hgNJhWEd7ON94TNCOQ_c0jSOg4g0c1IdPMvoifsJVHUkOH1rXFmfD-AWyUJq2aqFcWCGK9N2P6NmWgw7ubva5Kb0WC7RuQl5moVuvO9_7HZp-xuTo2C46PFfbbTtz_hGbvjfvVXXXvAbs-OF_XZQTyz-K2LzzhWv53Xn34DYYvvrg
linkProvider Directory of Open Access Journals
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMw1V1Lb9NAEB6VFIlegPJQAwX2QAUcrMa7a2d9QCglVImaBIsG2p7MvlwqpLjYAZQ_xW9kxnFKe4BbD1y9K2sf334zszsPgOeaexuZUAU-zNFAkVrTmUsCLfKODm0iTJ2d_9OoO5mo4-MkXYNfq1gYcqtccWJN1K6wdEe-K3gXlekE-fbN-beAqkbR6-qqhMYSFgd-8RNNtur1sI_7u8P5_rvp20HQVBUILBdxHEjropzya9swz40URmqS6YREnjjvcfAqifPYGRdphLPoOi2NRzEZxzaSTuB_b8C6JLC3YD0djtOTi1sdTu-IXC097IVIOru1oycJ2ZDCtS_JvrpEwN8EQS3d9u_8b-tyF243ejTrLYG_CWt-dg82G6aq2Msmnfar-3DaY9MvZ-V8EfT1gvVxoSo_Z0XOxmiCWHIBZoPpNGUffD3tiu2hfP_qHTML9v6od5iyceEOmzJ_rJgxzdJlmlyENDvyhhHf-vIBfLyWCT-E1qyY-S1gFrfd-26U69jJjtLaoVkZC9fp-NDHRrZhZ7Xx2fkyi0iG1hcBJLsMkDbsESou-lDu7_pDUZ5mDZVkTnDHc0WmvZLOJsobNPO4MjJXOIWoDS8IUxkx1LzUVjeBFjhUyvWV9VRMSjMqtm3YvtITmcVebV5BLmuYrcr-4O3Rv5ufwa3BdDzKRsPJwWPY4FQ3uY7h3IbWvPzun8BN-2N-VpVPm0PE4PN14_M3mNVYmQ
linkToPdf http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMw1V3LbtQwFLVKQagboDzEQAEvqIBFNImdeJwFQlOGUau2Q0QHWrEJfrYV0qQkATS_xtdxbx6lXcCuC7axFcXO8bk-9n0Q8lwxZxIdycBFHgRKrBSuuTRQ3IcqMinXTXb-T3uj2UweHaXZCvnVx8KgW2XPiQ1R28LgGfmQsxFsplPg26Hv3CKyyfTN2bcAK0jhTWtfTqOFyK5b_gT5Vr3emcC_3mRs-m7-djvoKgwEhnEhgtjYxGOubRN5r2OuY4X2HVHJUuscDESmwgurbaIA2nxkVawdmEwhTBJbDu-9Rq6PQGOiO2GWfD4_32F4o8hk62vPeRoOG5dPNLcRBm5fsIJNsYC_mYTGzk1v_88zdIfc6nbXdNwuh3Wy4hZ3yXrHXxV92SXZfnWPHI_p_OS0rJfBRC3pBCatcjUtPN0HYWLQMZhuz-cZ_eCaKajoFlj9r85SvaTvD8cHGd0v7EFX_I8WC6po1ibPBaDTQ6cpsrAr75OPVzLgB2R1USzcQ0INQMC5UeKVsHEolbIgNgW3YegiJ3Q8IJs9CPKzNrdIDpoMwZJfBMuAbCFCzvtgRvDmQVEe5x3B5JYzy7xEwS9ja1LpNIg_JnXsJQwhGZAXiK8ceasulVFd-AV8KmYAy8dS4FYatrsDsnGpJ_CNudzcwy_v-K7K_2Dv0b-bn5GbAMp8b2e2-5isMSym3AR2bpDVuvzunpAb5kd9WpVPm9VEyZerBudviZ5f_A
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=A+Thirty-Day+Dataset+of+Malicious+HTTP+Requests+Blocked+by+OWASP+ModSecurity+on+a+Production+Web+Server&rft.jtitle=Data+%28Basel%29&rft.au=Lucz%2C+Geza&rft.au=Forstner%2C+Bertalan&rft.date=2025-11-01&rft.issn=2306-5729&rft.eissn=2306-5729&rft.volume=10&rft.issue=11&rft.spage=186&rft_id=info:doi/10.3390%2Fdata10110186&rft.externalDBID=n%2Fa&rft.externalDocID=10_3390_data10110186
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2306-5729&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2306-5729&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2306-5729&client=summon