/claim #6403

This PR implements optional honeypot detection for the Nuclei scanner as requested in issue #6403 (https://github.com/projectdiscovery/nuclei/issues/6403).

Certain hosts intentionally return a high density of vulnerability signatures (e.g., Spring, Tomcat, PHP, Cisco) to mislead security scanners. This feature tracks the density of unique template matches per host and warns the user when a threshold is exceeded.

Key Features:

• New CLI Flags:
  • -dh, -detect-honeypot: Enables the honeypot detection logic.
  • -ht, -honeypot-threshold: Configures the number of unique matches per host before a warning is triggered (Default: 20).
• HoneypotDetector Engine:
  • Host Normalization: Uses urlutil.Hostname() to group matches from the same host regardless of port or scheme (e.g., example.com:443 and http://example.com are counted together).
  • Memory Efficiency: Implements a “track-and-clear” strategy. Once a host hits the threshold and a warning is issued, the detailed tracking map for that host is cleared to prevent memory growth during large-scale scans.
  • High Concurrency: Utilizes a sync.Map for a lock-free “fast-path” check on already-identified honeypots, ensuring negligible performance impact even with hundreds of parallel threads.

Proof

• Unit Tests: Added pkg/output/honeypot_test.go which verifies:
  • Correct hostname normalization (IPs, domains, ports).
  • Accurate match counting and threshold triggering.
  • Memory cleanup after detection.
  • Correct behavior when disabled.
• Functional Testing: Verified against scanme.sh with a low threshold (-dh -ht 2).
  • Result: [WRN] [HONEYPOT?] scanme.sh matched 2 templates — results may be unreliable
• Build Verification: Built the nuclei binary from source and confirmed CLI flags are properly registered and functional.
• Repository-wide Linting/Formatting: Ran go fmt ./… and verified compatibility with the current dev branch.

Checklist

• x] Pull request is created against the [dev (https://github.com/projectdiscovery/nuclei/tree/dev) branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate) - CLI help text added via flag registration.

Summary by CodeRabbit

New Features

• Added honeypot detection capability. When enabled, Nuclei monitors the number of distinct template matches per host and automatically warns when a threshold is reached, indicating a potential honeypot. Two new configuration options available: DetectHoneypot (enable/disable) and HoneypotThreshold (adjust sensitivity, default: 20).