Summary

Fixes #6403

/claim #6403

Many hosts on Shodan intentionally respond to all nuclei templates to fool scanners, creating noisy false positives. This PR adds a configurable honeypot detection system that tracks unique template matches per host and flags hosts exceeding a threshold.

Changes

New package: pkg/honeypot/

• Detector: Concurrent-safe honeypot detector using sync.Map for lock-free host tracking
• Tracks unique template IDs per host (duplicate template matches are not double-counted)
• Configurable threshold — when a host exceeds N unique template matches, it is flagged
• Host normalization handles URLs, host:port, IPv6 brackets, and case differences
• Zero overhead when disabled (threshold=0)

Integration in pkg/output/output.go

• StandardWriter.Write() records each match and suppresses output from flagged honeypot hosts
• Summary of flagged hosts printed at scan completion via Close()
• Exposes HoneypotDetector() method for external access

New CLI flag

• -honeypot-threshold / -hpt (int, default 0 = disabled)
• Added to the “Optimizations” group alongside -max-host-error

Changes to pkg/types/types.go

• Added HoneypotThreshold field to Options struct and its Copy() method

Usage

# Flag hosts with 10+ unique template matches as honeypots
nuclei -t templates/ -l targets.txt -hpt 10

# Use verbose mode to see details of flagged hosts
nuclei -t templates/ -l targets.txt -hpt 10 -v

Design Decisions

1. Integration at the Writer level rather than the engine level — this means honeypot detection works regardless of scan strategy (host-spray, template-spray, auto) without modifying the core execution engine
2. sync.Map + per-entry mutex for concurrent safety without a global lock bottleneck
3. Suppression, not removal — once a host is flagged, its future results are silently suppressed but earlier results (before the threshold was hit) are still shown
4. No external dependencies — uses only stdlib and existing nuclei dependencies

Tests

14 comprehensive tests covering:

• Basic threshold behavior
• Duplicate template deduplication
• Multiple host tracking
• Disabled/negative threshold
• Post-flagging behavior
• Host normalization (URLs, ports, IPv6, case)
• Empty host handling
• Concurrent access stress test (100 goroutines)
• Multi-host concurrent stress test (20 hosts × 5 templates)

$ go test ./pkg/honeypot/... -v -count=1
=== RUN   TestDetectorBasic
--- PASS: TestDetectorBasic (0.00s)
=== RUN   TestDetectorDuplicateTemplates
--- PASS: TestDetectorDuplicateTemplates (0.00s)
=== RUN   TestDetectorMultipleHosts
--- PASS: TestDetectorMultipleHosts (0.00s)
=== RUN   TestDetectorDisabled
--- PASS: TestDetectorDisabled (0.00s)
=== RUN   TestDetectorNegativeThreshold
--- PASS: TestDetectorNegativeThreshold (0.00s)
=== RUN   TestDetectorRecordAfterFlagged
--- PASS: TestDetectorRecordAfterFlagged (0.00s)
=== RUN   TestDetectorFlaggedHosts
--- PASS: TestDetectorFlaggedHosts (0.00s)
=== RUN   TestNormalizeHost
--- PASS: TestNormalizeHost (0.00s)
=== RUN   TestDetectorHostNormalization
--- PASS: TestDetectorHostNormalization (0.00s)
=== RUN   TestDetectorEmptyHost
--- PASS: TestDetectorEmptyHost (0.00s)
=== RUN   TestDetectorConcurrentAccess
--- PASS: TestDetectorConcurrentAccess (0.00s)
=== RUN   TestDetectorConcurrentMultipleHosts
--- PASS: TestDetectorConcurrentMultipleHosts (0.00s)
=== RUN   TestDetectorUnknownHost
--- PASS: TestDetectorUnknownHost (0.00s)
PASS
ok  	github.com/projectdiscovery/nuclei/v3/pkg/honeypot	0.006s

Build Verification

$ go build -o ./bin/nuclei ./cmd/nuclei/
$ ./bin/nuclei -h | grep honeypot
   -hpt, -honeypot-threshold int    threshold of unique template matches before flagging a host as honeypot (0 = disabled)

Summary by CodeRabbit

• New Features
  • CLI flag –honeypot-threshold (-hpt) to enable honeypot detection by unique-template threshold (0 = disabled); flagged hosts have their results suppressed and a summary shown at completion
• Behavior / Reliability
  • Improved host normalization (URLs, ports, IPv6, userinfo) and concurrency-safe detection during result processing; detection available programmatically
• Tests
  • Comprehensive tests covering detection, normalization, edge cases and concurrency