/claim #6403

Summary

This PR implements honeypot detection for nuclei to identify hosts that intentionally match an abnormally high percentage of templates, which may be honeypots designed to generate false positives.

Problem

Some hosts on Shodan respond positively to every nuclei template matcher to generate noise/false positives. These honeypots can flood scan results with useless data.

Solution

Implemented a honeypot detection feature that:

• Tracks template matches per host during scan
• Calculates match ratio (matches / total templates)
• Warns when a host exceeds a configurable threshold (default 50%)
• Provides a summary of suspected honeypots at scan completion

Usage

# Enable honeypot detection with default 50% threshold
nuclei -u target.com -hpd

# Enable with custom threshold (e.g., 30%)
nuclei -u target.com -hpd -hpt 30

New CLI Flags

Implementation Details

• pkg/protocols/common/honeypotdetection: Core detection logic with thread-safe caching
• pkg/output/honeypot_writer.go: Output wrapper that intercepts results for tracking
• Integration with runner, types, and CLI options
• Minimum 10 templates required before detection triggers (to avoid false positives on small scans)
• Duplicate template matches for the same host are not counted

Testing

Added comprehensive unit tests including:

• Basic match recording
• Duplicate template handling
• Threshold detection
• Concurrent access safety
• URL normalization

Fixes #6403

Summary by CodeRabbit

• New Features

  • Added honeypot detection to identify potential honeypots during scans and report suspected hosts.
  • New options to enable detection and configure sensitivity (threshold).
  • Output now records honeypot matches and includes detection data in scan reporting.

• Tests

  • Added comprehensive unit tests covering detection logic, normalization, concurrency, and edge cases.

• Chores

  • Updated ignore patterns to exclude nuclei-test artifacts.