Provided by: tcpspy_1.7d-15_amd64 bug


       tcpspy.rules - configuration file for tcpspy


       This  file, by default /etc/tcpspy.rules, is read by the /etc/init.d/tcpspy script at init
       time in order to configure tcpspy (see tcpspy(8)) logger filtering rules.

       It might look like:

              # /etc/tcpspt.rules example
              user "joedoe" and rport 22 and raddr
              user 1003
              lport 22 or lport 21
              (lport 23 and user "joedoe") or raddr

       This rules file specifies that tcpspy logs tcp connections according to 4 rules (line 1 to
       line 4 - one per each line) using the boolean logic (see below) to evaluate each rule.

       This particular example logs connections:

       line 1 - for user "joedoe" connecting to (remote)

       line 2 - for user whose UID is 1003

       line 3 - to *:22 or *:21 (both locally)

       line 4 - for user "joedoe" to *:23 (local) or to (remote)

       Everything from an "#" signal and the end of the line will not be evaluated.

   Rule Syntax - just extracted from tcpspy(8)
       A rule may be specified with the following comparison operators:

       user uid
              True  if  the  local  user initiating or accepting the connection has the effective
              user id uid.

       user "username"
              Same as above, but using a username instead of a user id.

       ip     True if the connection is IPv4.

       ip6    True if the connection is IPv6.

       lport port
              True if the local end of the connection has port number port.

       lport [low] - [high]
              True if the local end of the connection has a port number greater than or equal  to
              low  and  less than or equal to high.  If the form low- is used, high is assumed to
              be 65535.  If the form -high is used, low is assumed to be 0. It  is  an  error  to
              omit both low and high.

       lport "service"
              Same  as  above,  but  using  a  service  name from /etc/services instead of a port

       rport  Same as lport but compares the port number of the remote end of the connection.

       laddr n.n.n.n[/m.m.m.m]

       laddr n.n.n.n/m

       laddr ip6-addr[/m]
              Interpreted as a "net/mask" expression; true if "net" is equal to the  bitwise  AND
              of  the  local  address  of  the  connection and "mask". If no mask is specified, a
              default mask with all bits set ( is used. The CIDR type netmask  is
              also  possible.  With  IPv6 only a prefix length netmask is allowed, and the length
              defaults to 128. Depending on the address family, these rules contain  an  implicit
              match condition "ip" or "ip6", respectively.

       raddr  Same as laddr but compares the remote address.

       exe "pattern"
              True   if   the   full  filename  (including  directory)  of  the  executable  that
              created/accepted the connection matches pattern, a glob(7)-style wildcard pattern.

              The pattern "" (an empty string) matches connections created/accepted by  processes
              whose executable filename is unknown.

              If  the  -p  option  is  not  specified, a warning message will be printed, and the
              result of this comparison will always be true.

       Expressions (including the  comparisons listed above) may  be  joined  together  with  the
       following logical operations:

       expr1 or expr2
              True if either of expr1 or expr2 are true (logical OR).

       expr1 and expr2
              True if both expr1 and expr2 are true (logical AND).

       not expr
              True if expr is false (logical NOT).

       Rules are evaluated from left to right. Whitespace (space, tab and newline) characters are
       ignored between "words". Rules consisting of only whitespace match no connections, but  do
       not  cause  an error.  Parentheses, '(' and ')' may be placed around expressions to affect
       the order of evaluation.

       These are some sample rules which further demonstrate how they are constructed:

       user "joe" and rport "ssh"
              Log connections made by user "joe" for the service "ssh".

       not raddr and rport 25 and (user "bob" or user "joe")
              Log connections made by users "bob" and "joe" to remote port 25 on machines not  on
              a fictional "intranet".


       Tim J. Robbins (tcpspy), Pablo Lorenzzoni (this manpage) and  Mats Erik Andersson (changes
       for IPv6)


       glob(7), proc(5), services(5), signal(7), syslog(3), tcpspy(8)