PR

Honeypot Detection

Fixes #6403

/claim #6403

Many hosts on Shodan respond to all nuclei templates to fool the scanner, creating noisy false positives. This PR adds detection for such honeypots.

What it does

Tracks how many distinct templates match each host. If a host crosses a threshold (default 10), it gets flagged as a potential honeypot. You get a warning, and optionally can suppress further results from that host.

New flags

-hpt, -honeypot-threshold int   threshold before flagging (default 10)

-hpd, -honeypot-detection       enable/disable detection (default true)

-shp, -suppress-honeypot        suppress honeypot results

-hpe, -honeypot-export string   export detected honeypots to file (CSV format: host,match_count)

-hpb, -honeypot-blocklist string  import known honeypot hosts from file

-hpmh, -honeypot-max-hosts int   max hosts to track in LRU cache (default 10000)

Example

# Warn only (default)

nuclei -u target.com



# Suppress results from honeypots

nuclei -u target.com -suppress-honeypot



# Lower threshold

nuclei -u target.com -honeypot-threshold 5



# Export detected honeypots to file

nuclei -u target.com -honeypot-export honeypots.txt



# Import known honeypots from blocklist

nuclei -u target.com -honeypot-blocklist known-honeypots.txt -suppress-honeypot

Output:

[WRN] Potential honeypot detected: 120.26.237.211 (matched 15 distinct templates)

[INF] Future results from 120.26.237.211 will be suppressed

[INF] Honeypot detection summary: 3 host(s) flagged, 42 result(s) suppressed

[INF] Exported 3 honeypot host(s) to honeypots.txt

Export format (CSV):

# Honeypot hosts detected by nuclei

# Format: host,match_count

120.26.237.211,15

192.168.1.100,12

example-honeypot.com,18

Testing

  • 99 unit tests (race detector clean)
  • Detector tests: threshold boundary, blocklist loading, LRU eviction, concurrent access
  • Writer tests: IPv4/IPv6 normalization, export format, suppression logic, integration
  • Handles IPv4, IPv6, and port normalization correctly
  • Thread-safe with proper mutex synchronization

Implementation Details

  • Uses LRU cache for memory efficiency (configurable max hosts)
  • Eviction callback maintains accurate honeypot count
  • Export uses CSV format with header comments for easy re-import
  • Blocklist supports comments (#) and blank lines
  • All honeypot fields properly copied in Options.Copy()

Summary by CodeRabbit

  • New Features

    • Honeypot detection enabled by default with configurable threshold, max-host tracking, optional suppression of results, blocklist loading, exportable detected hosts (CSV), per-result honeypot flags and match counts, one-time warnings and verbose reporting.

  • Documentation

    • CLI docs updated with new honeypot-related flags and defaults.

  • Tests

    • Extensive test coverage for detection, suppression, export, normalization, concurrency, blocklist handling, and lifecycle behaviors.

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted February 02, 2026
Last updated February 02, 2026

Contributors

NA

Nati

@natinew77-creator

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$250