Summary

• Adds post-scan honeypot detection that tracks unique template matches per host and flags hosts exceeding a configurable threshold
• Introduces a HoneypotWriter that wraps the existing output writer pipeline, intercepting result events to count unique template matches per host
• Adds three new CLI flags: --honeypot-detection (-hpd), --honeypot-threshold (-hpt, default 100), and --honeypot-exclude (-hpe)
• When a host exceeds the threshold, a warning is printed at scan completion; optionally, results from detected honeypots can be excluded from output entirely

Motivation

Many hosts on Shodan are configured as honeypots that deliberately return responses matching many nuclei vulnerability templates. This creates noise in scan results and can mislead users. This feature detects such hosts by observing unusually high match rates and warns the user (or optionally drops the results).

Test plan

• Unit tests added for HoneypotWriter covering detection, exclusion, multiple hosts, duplicate template deduplication, and close behavior
• go build ./... passes
• go test ./pkg/output/ -run TestHoneypot passes (6/6 tests)
• Manual testing: run nuclei with -hpd flag against a known honeypot target and verify warning is printed
• Manual testing: run with -hpd -hpe to verify results from honeypot hosts are excluded

Usage

# Enable honeypot detection with default threshold (100 unique template matches)
nuclei -u target.com -hpd

# Custom threshold
nuclei -u target.com -hpd -hpt 50

# Exclude honeypot results from output
nuclei -u target.com -hpd -hpe

/claim #6403

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Honeypot detection to flag hosts with unusually many unique template matches.
  • CLI flags: honeypot-detection, honeypot-threshold (default 100), honeypot-exclude to optionally drop results from detected hosts.
  • Options updated to carry honeypot settings across runs.

• Tests

  • Added unit tests covering detection, exclusion, duplicates, multiple hosts, and close behavior.