Provided by: tcpspy_1.7d-4_i386 bug

NAME

       tcpspy.rules - configuration file for tcpspy

DESCRIPTION

       This   file,   by   default   /etc/tcpspy.rules,   is   read   by   the
       /etc/init.d/tcpspy script at init time in  order  to  configure  tcpspy
       (see tcpspy(8)) logger filtering rules.

       It might look like:

              # /etc/tcpspt.rules example
              user "joedoe" and rport 22 and raddr 192.168.1.10
              user 1003
              lport 22 or lport 21
              (lport 23 and user "joedoe") or raddr 192.168.1.20

       This rules file specifies that tcpspy logs tcp connections according to
       4 rules (line 1 to line 4 - one per each line) using the boolean  logic
       (see below) to evaluate each rule.

       This particular example logs conections:

       line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote)

       line 2 - for user whose UID is 1003

       line 3 - to localhost:22 or localhost:21

       line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote)

       Everything  from  an  "#"  signal  and  the end of the line will not be
       evaluated.

   Rule Syntax - just extracted from tcpspy(8)
       A rule may be specified with the following comparison operators:

       user uid
              True if the local user initiating or  accepting  the  connection
              has the effective user id uid.

       user "username"
              Same as above, but using a username instead of a user id.

       lport port
              True if the local end of the connection has port number port.

       lport [low] - [high]
              True  if  the  local  end  of  the  connection has a port number
              greater than or equal to low and less than or equal to high.  If
              the form low- is used, high is assumed to be 65535.  If the form
              -high is used, low is assumed to be 0. It is an  error  to  omit
              both low and high.

       lport "service"
              Same  as  above,  but  using  a  service name from /etc/services
              instead of a port number.

       rport  Same as lport but compares the port number of the remote end  of
              the connection.

       laddr n.n.n.n[/m.m.m.m]
              Interpreted  as  a "net/mask" expression; true if "net" is equal
              to the bitwise AND of the local address of  the  connection  and
              "mask".  If  no  mask is specified, a default mask with all bits
              set (255.255.255.255) is used.

       raddr  Same as laddr but compares the remote address.

       exe "pattern"
              True  if  the  full  filename  (including  directory)   of   the
              executable that created/accepted the connection matches pattern,
              a glob(7)-style wildcard pattern.

              The  pattern  ""   (an   empty   string)   matches   connections
              created/accepted  by  processes  whose  executable  filename  is
              unknown.

              If the -p option is not specified, a  warning  message  will  be
              printed,  and the result of this comparison will always be true.

       Expressions (including the  comparisons listed  above)  may  be  joined
       together with the following logical operations:

       expr1 or expr2
              True if either of expr1 or expr2 are true (logical OR).

       expr1 and expr2
              True if both expr1 and expr2 are true (logical AND).

       not expr
              True if expr is false (logical NOT).

       Rules  are  evaluated  from  left  to right. Whitespace (space, tab and
       newline) characters are ignored between "words".  Rules  consisting  of
       only  whitespace  match  no  connections,  but  do  not cause an error.
       Parentheses, ’(’ and ’)’ may be placed around expressions to affect the
       order of evaluation.

   Examples
       These  are  some  sample  rules  which further demonstrate how they are
       constructed:

       user "joe" and rport "ssh"
              Log connections made by user "joe" for the service "ssh".

       not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
              Log  connections made by users "bob" and "joe" to remote port 25
              on machines not on a fictional "intranet".

AUTHOR

       Tim J. Robbins (tcpspy), Pablo Lorenzzoni (this manpage)

SEE ALSO

       glob(7), proc(5), services(5), signal(7), syslog(3), tcpspy(8)