Provided by: tcpspy_1.7d-4_amd64 
NAME
tcpspy.rules - configuration file for tcpspy
DESCRIPTION
This file, by default /etc/tcpspy.rules, is read by the /etc/init.d/tcpspy script at init
time in order to configure tcpspy (see tcpspy(8)) logger filtering rules.
It might look like:
# /etc/tcpspt.rules example
user "joedoe" and rport 22 and raddr 192.168.1.10
user 1003
lport 22 or lport 21
(lport 23 and user "joedoe") or raddr 192.168.1.20
This rules file specifies that tcpspy logs tcp connections according to 4 rules (line 1 to
line 4 - one per each line) using the boolean logic (see below) to evaluate each rule.
This particular example logs conections:
line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote)
line 2 - for user whose UID is 1003
line 3 - to localhost:22 or localhost:21
line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote)
Everything from an "#" signal and the end of the line will not be evaluated.
Rule Syntax - just extracted from tcpspy(8)
A rule may be specified with the following comparison operators:
user uid
True if the local user initiating or accepting the connection has the effective
user id uid.
user "username"
Same as above, but using a username instead of a user id.
lport port
True if the local end of the connection has port number port.
lport [low] - [high]
True if the local end of the connection has a port number greater than or equal to
low and less than or equal to high. If the form low- is used, high is assumed to
be 65535. If the form -high is used, low is assumed to be 0. It is an error to
omit both low and high.
lport "service"
Same as above, but using a service name from /etc/services instead of a port
number.
rport Same as lport but compares the port number of the remote end of the connection.
laddr n.n.n.n[/m.m.m.m]
Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise AND
of the local address of the connection and "mask". If no mask is specified, a
default mask with all bits set (255.255.255.255) is used.
raddr Same as laddr but compares the remote address.
exe "pattern"
True if the full filename (including directory) of the executable that
created/accepted the connection matches pattern, a glob(7)-style wildcard pattern.
The pattern "" (an empty string) matches connections created/accepted by processes
whose executable filename is unknown.
If the -p option is not specified, a warning message will be printed, and the
result of this comparison will always be true.
Expressions (including the comparisons listed above) may be joined together with the
following logical operations:
expr1 or expr2
True if either of expr1 or expr2 are true (logical OR).
expr1 and expr2
True if both expr1 and expr2 are true (logical AND).
not expr
True if expr is false (logical NOT).
Rules are evaluated from left to right. Whitespace (space, tab and newline) characters are
ignored between "words". Rules consisting of only whitespace match no connections, but do
not cause an error. Parentheses, '(' and ')' may be placed around expressions to affect
the order of evaluation.
Examples
These are some sample rules which further demonstrate how they are constructed:
user "joe" and rport "ssh"
Log connections made by user "joe" for the service "ssh".
not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
Log connections made by users "bob" and "joe" to remote port 25 on machines not on
a fictional "intranet".
AUTHOR
Tim J. Robbins (tcpspy), Pablo Lorenzzoni (this manpage)
SEE ALSO
glob(7), proc(5), services(5), signal(7), syslog(3), tcpspy(8)