PR

Add honeypot detection to identify and mitigate hosts that return positive matches for an abnormally high number of templates.

Features:

  • Add –honeypot-threshold (-hpt) flag to set detection threshold (percentage of templates matched by host to flag as honeypot)
  • Add –honeypot-suppress (-hpsu) flag to automatically suppress results from flagged honeypot hosts
  • Implement match density tracking per host with unique template counting
  • Add terminal warning: [HONEYPOT?] host matched X% of templates
  • Implement honeypot signature detection for common honeypots: Cowrie, Dionaea, Glastopf, Conpot, Elastichoney

Usage:

nuclei -hpt 30 -hpsu -t templates/ -l targets.txt

Changes:

  • pkg/types/types.go: Add HoneypotThreshold and HoneypotSuppress fields to Options struct
  • cmd/nuclei/main.go: Add CLI flags in optimization group
  • pkg/protocols/common/honeypotcache/: New package for honeypot detection cache with tests
  • pkg/protocols/protocols.go: Add HoneypotCache to ExecutorOptions
  • internal/runner/runner.go: Initialize and close honeypot cache
  • pkg/tmplexec/exec.go: Integrate honeypot check in result writing

/claim #6403

Proposed changes

This PR implements honeypot detection as requested in #6403.

The implementation includes:

  1. Match density tracking per host
  2. Configurable threshold via CLI flags
  3. Optional result suppression for flagged hosts
  4. Known honeypot signature detection

Proof

  • Unit tests added for honeypotcache package (12 tests, all passing)
  • All existing tests pass (go test ./pkg/protocols/... ./pkg/tmplexec/... ./internal/runner/...)
  • Build successful (go build ./...)
QQ_1772176824350 QQ_1772173634882 testresult QQ_1772176153825

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Summary by CodeRabbit

  • New Features

    • Added honeypot detection and suppression to identify and filter results from likely honeypot hosts using per-host template-match percentages.
    • New CLI flags to configure detection threshold and enable result suppression.
    • Signature-based detection against known honeypot patterns, host normalization, and runtime statistics/verbose tracing.
    • Result emission now respects honeypot suppression when enabled.

  • Tests

    • Added comprehensive tests covering detection, suppression, normalization, uniqueness, and signature matching.

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted February 27, 2026
Last updated February 27, 2026

Contributors

FU

FuZoe

@FuZoe

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$250