type error issue (bzar_dce-rpc_consts.zeek)

[hskte]

There is type mismatching errors when parsing Sets type arrays.

It should be like : [" "], > " ",

the error messages are here:
error in string and /opt/zeek/share/zeek/site/packages/./bzar/./bzar_dce-rpc_consts.zeek, line 25: type clash (string and drsuapi::DRSReplicaSync) error in /opt/zeek/share/zeek/site/packages/./bzar/./bzar_dce-rpc_consts.zeek, line 25 and string: type mismatch (drsuapi::DRSReplicaSync and string) error in /opt/zeek/share/zeek/site/packages/./bzar/./bzar_dce-rpc_consts.zeek, lines 25-26: inconsistent type in set constructor (set(drsuapi::DRSReplicaSync, drsuapi::DRSGetNCChanges)) error in /opt/zeek/share/zeek/site/packages/./bzar/./bzar_dce-rpc_consts.zeek, lines 25-26: type clash in assignment (BZAR::t1003_006_rpc_strings = set(drsuapi::DRSReplicaSync, drsuapi::DRSGetNCChanges))

[hskte]

My zeek version is : zeek version 5.1.1

[JustinAzoff]

The reason for this is that the string sets are declared incorrectly:

This:

	const t1003_006_rpc_strings : set[string] =
	{
		# T1003.006 OS Credential Dumping: DCSync
		["drsuapi::DRSReplicaSync"],
		["drsuapi::DRSGetNCChanges"],
	} &redef;

Should be

	const t1003_006_rpc_strings : set[string] =
	{
		# T1003.006 OS Credential Dumping: DCSync
		"drsuapi::DRSReplicaSync",
		"drsuapi::DRSGetNCChanges",
	} &redef;

zeek used to permit this, but it was not correct syntax and it only really worked by accident (and depending on exactly what the mismatch was, might crash)

[JustinAzoff]

ah, and https://github.com/mitre-attack/bzar/pull/16/files already has the fixes for this

[mmguero]

Should be fixed with #16 being pulled in now.