Summary

This PR implements honeypot detection to identify and skip hosts that return an excessive number of template matches. This is particularly useful for avoiding noise from hosts (e.g., on Shodan) that are configured to “match” every signature to fool scanners.

Changes

• New Package: Created pkg/protocols/common/honeypotcache to manage unique match tracking using an LRU cache.
• Global Configuration:
  • Added MaxHostMatch (default 30) to global options.
  • Added NoHoneypot flag to disable the feature.
• Engine Integration:
  • Updated pkg/core/executors.go to check the honeypot status before executing templates.
  • Updated match handling to record successful matches in the cache.
• CLI Flags:
  • Added -max-host-match / -mhm to set the threshold.
  • Added -no-honeypot / -nhp to disable detection.
• SDK Support: Integrated honeypot detection into the Nuclei SDK (lib/sdk.go and lib/sdk_private.go).

How to Test

1. Run Nuclei against a target with a low match threshold:

   ./nuclei -target <host> -t <templates_dir> -mhm 2
   
   

/claim #6403

closes: #6403

Summary by CodeRabbit

• New Features
  • Added honeypot detection to identify and skip hosts classified as potential honeypots.
  • Added CLI flags: –max-host-match (default: 30) to configure the per-host match threshold, and –no-honeypot to disable detection.
  • Introduced an optional per-host honeypot cache to track matches and enforce the threshold.
  • Skipped-host events are emitted when a host is classified as a honeypot.