Feature/sigmarule wildcard regex caseinsensitive#119 (#123)

* under constructing

* underconstructing

* fix rule file for SIGMA rule.

* wildcard case insensetive.

* refactor

* Update src/detections/rule.rs

add test triple backshash

Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>

* remove unnecessary if statement

Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>

rules/deep_blue_cli/powershell/4104.yml

@@ -9,7 +9,7 @@ detection:
         Channel: Microsoft-Windows-PowerShell/Operational
         EventID: 4104
         Path: null
-        ScriptBlockText: '.+'
+        ScriptBlockText|re: '.+'
     # condition: selection
 falsepositives:
     - unknown

rules/deep_blue_cli/security/4674.yml

@@ -8,7 +8,7 @@ detection:
     selection:
         Channel: Security
         EventID: 4674
-        ProcessName: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
+        ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
         AccessMask: '%%1539'
     # condition: selection
 falsepositives:

rules/deep_blue_cli/security/4688.yml

@@ -8,7 +8,7 @@ detection:
     selection:
         Channel: Security
         EventID: 4688
-        CommandLine: '.+'
+        CommandLine|re: '.+'
     # condition: selection
 falsepositives:
     - unknown

rules/deep_blue_cli/security/_4672.yml

@@ -8,8 +8,7 @@ detection:
     selection:
         Channel: Security
         EventID: 4672
-        PrivilegeList: 
-            contain: SeDebugPrivilege
+        PrivilegeList|contains: SeDebugPrivilege
     # condition: selection
 falsepositives:
     - unknown

rules/deep_blue_cli/sysmon/1.yml

@@ -8,7 +8,7 @@ detection:
     selection:
         Channel: Sysmon
         EventID: 1
-        CommandLine: '.+'
+        CommandLine|re: '.+'
     # condition: selection
 falsepositives:
     - unknown