PR

Summary

This PR implements honeypot detection functionality to identify and flag hosts that exhibit honeypot characteristics (unrealistic number of vulnerability matches).

Root Cause

Many hosts on Shodan and other search engines are configured as honeypots that match all vulnerability signatures to fool scanners. This creates noise in scan results and wastes time on false positives.

Solution

New Features

  1. HoneypotDetector (pkg/protocols/common/honeypot/detector.go)

    • Tracks vulnerability count per host
    • Configurable threshold (default: 10 vulns/host)
    • Calculates honeypot probability score (0-100)

  2. Integration (pkg/protocols/common/honeypot/integration.go)

    • Automatically integrates with nuclei output pipeline
    • Marks detected honeypots in result events
    • Adds metadata: honeypot, honeypot_score, honeypot_vuln_count

  3. CLI Flag (--honeypot-threshold, -ht)

    • Configure detection sensitivity
    • Default: 10 vulnerabilities per host

Score Calculation

  • 0-10 vulns: Score 0-50 (linear)
  • 10-20 vulns: Score 50-80
  • 20+ vulns: Score 80-100

Output Example

{

  "host": "example.com",

  "template-id": "cve-2024-xxxx",

  "honeypot": true,

  "honeypot_score": 85,

  "meta": {

    "honeypot_detected": true,

    "honeypot_score": 85,

    "honeypot_vuln_count": 25

  }

}

Testing

  • Unit tests for detector logic
  • Score calculation tests
  • Integration tests with output pipeline

Usage

# Default threshold (10 vulns)

nuclei -u example.com



# Custom threshold

nuclei -u example.com --honeypot-threshold 15



# Only show non-honeypot results (filter externally)

nuclei -u example.com | jq select(.honeypot != true)

Related Issue

Fixes: #6403

/claim #6403

Summary by CodeRabbit

  • New Features

    • Added honeypot detection to identify suspicious hosts with high vulnerability counts.
    • New CLI flag –honeypot-threshold (short -ht) to configure the trigger (default: 10).
    • Results now include honeypot status, a 0–100 honeypot score, and per-host vulnerability count.

  • Tests

    • Added comprehensive test suite validating honeypot detection, scoring, reset behavior, and statistics.

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted March 05, 2026
Last updated March 05, 2026

Contributors

ET

EthanHan

@EthanHan

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$250