Justin

Ah, that gets hard.. the fuzzer will want to do things like insert/remove bytes, but it doesn't understand that when it wants to add a byte, it needs to bump...

wow, that's neat, I had started trying to write something exactly like that, but then realized the problem could be simplified by teaching zeek how to read a simpler format,...

Oh, it would also make it easier to verify crash cases, since the output of the fuzzer would be a regular pcap, not the simplified format that would have to...

Yeah it's in `zeek::Broker::Manager::MakeClone` so definitely related to stores. If you go `up` a bunch on that core dump the `this->location` should shed some more light on what exactly is...

Oh, nevermind, it won't.. the part that crashes is ``` event Broker::announce_masters(masters: set[string]) { for ( i in masters ) { # this magic name for the store is created...

https://github.com/zeek/zeek/pull/4418 has a fix for the worker side of two of these issues. I'm not 100% sure if this is enough in practice, or if the further data structure changes...

the weird thing about this is that it seems super hard to reproduce, but when it fails it fails 3 times in a row? Also weird that based on how...

ah! and related to running in a sandbox, which makes sense. I was starting to think it must be environmental, why else would it never fail for me (I ran...

The reason for this is that the string sets are declared incorrectly: This: ``` const t1003_006_rpc_strings : set[string] = { # T1003.006 OS Credential Dumping: DCSync ["drsuapi::DRSReplicaSync"], ["drsuapi::DRSGetNCChanges"], } &redef;...

ah, and https://github.com/mitre-attack/bzar/pull/16/files already has the fixes for this