invalid token '*' in certain condition strings

[veramine]

Could not parse this one:

detection:
  selection1:
    CommandLine|contains: 'setup0.exe -p'
  selection2a:
    CommandLine|contains: 'setup.exe'
  selection2b:
    CommandLine|endswith:
      - '-x:0'
      - '-x:1'
      - '-x:2'
  condition: selection1 or all of selection2*

invalid token '*'

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml

[veramine]

This parses fine:

condition: selection1 or all of selection*

but this doesn't parse:

condition: selection1 or all of selection2*

[twsnmp]

Same issue as #41.

If there is a number in front of the *, this error occurs.

The fix for #41 solves this error.

[twsnmp]

An alternative is to change it so that the * is not preceded by a number, as shown below.

detection:
  selection_a:
    CommandLine|contains: 'setup0.exe -p'
  selection_b_a:
    CommandLine|contains: 'setup.exe'
  selection_b_b:
    CommandLine|endswith:
      - '-x:0'
      - '-x:1'
      - '-x:2'
  condition: selection_a or all of selection_b_*