Proposed changes

Implements honeypot detection for Nuclei to address the issue where certain Shodan-exposed hosts deliberately serve responses matching a large number of vulnerability templates, producing massive amounts of false positive results. When a host matches an unusually high number of unique template signatures, this PR flags it as a likely honeypot, warns the user, and optionally suppresses results from that host.

/claim #6403

Changes

• pkg/honeypot/detector.go - New Detector type that tracks unique template IDs matched per normalized host. When the match count crosses a configurable threshold, the host is flagged and a warning is logged. Thread-safe via sync.Mutex. Handles all host/URL forms via normalizeHost (strips scheme, path, query, fragment, userinfo, IPv6 brackets).

• pkg/honeypot/detector_test.go - 13 unit tests covering: disabled-by-default, nil-safety, threshold triggering, suppress mode, warn-only mode, duplicate template deduplication, multi-host isolation, empty inputs, host normalization (including IPv6 bracket notation), flagged-host listing, summary output, URL normalization, and concurrent access.

• pkg/output/output.go - Integration into StandardWriter.Write(): records each match with the detector, sets HoneypotDetected: true on the ResultEvent, and optionally returns early to suppress output. Adds HoneypotDetected bool field to ResultEvent (json:"honeypot_detected,omitempty"). Summary printed in Close().

• pkg/types/types.go - Two new options fields: HoneypotThreshold int and HoneypotSuppressResults bool. Both included in Options.Copy().

• cmd/nuclei/main.go - Two new CLI flags in the optimization group:

  • -honeypot-threshold / -hpt (int, default 0 = disabled)
  • -honeypot-suppress / -hpq (bool, default false = warn only)

Proof

Since this feature requires scanning actual honeypot hosts, here is the expected behavior based on the implementation and tests:

Warn-only mode (default when detection enabled):

nuclei -target 120.26.237.211 -hpt 10

# When a host matches 10+ unique templates:
[WRN] [honeypot] 120.26.237.211 matched 10 unique templates (threshold: 10) - likely honeypot

# Results still written but tagged in JSON:
{"template-id":"cve-2024-50379","host":"120.26.237.211","honeypot_detected":true,...}

Suppress mode:

nuclei -target 120.26.237.211 -hpt 10 -hpq

# Warning appears, subsequent results silently dropped. Summary at close:
[WRN]
[honeypot] 1 host(s) flagged as potential honeypot(s):
  - 120.26.237.211 (10 unique template matches)

Design Rationale

• Minimal footprint: 155 lines in core detector, no external dependencies beyond stdlib + gologger
• Disabled by default (-hpt 0): opt-in, no behavior change for existing users
• Warn vs suppress: two-stage approach - users run with warn first, then enable suppression
• Host normalization: HTTP/HTTPS URLs, bare host:port, IPv4, IPv6 [::1], userinfo stripping
• Integration point: StandardWriter.Write() is the natural chokepoint, no middleware wrapper needed

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate) - flags documented via CLI help text

This PR was developed with AI assistance (Claude/Anthropic). All changes reviewed against codebase conventions.

Summary by CodeRabbit

• New Features

  • Honeypot detection to flag hosts with many unique template matches, configurable threshold.
  • New CLI options to set threshold and optionally suppress results from detected honeypots.
  • Output integration: events are marked when a host is flagged, suppressed when configured, and a summary printed on close.

• Tests

  • Comprehensive tests covering threshold behavior, host normalization, duplicate handling, multi-host isolation, summaries, and concurrency safety.