tcpspy (1.7d-4) debian-dir only changes

Summary

 debian/changelog      |  106 ++++++++++++++++++++
 debian/compat         |    1 
 debian/control        |   25 ++++
 debian/copyright      |   47 ++++++++
 debian/docs           |    1 
 debian/rules          |   54 ++++++++++
 debian/source/format  |    1 
 debian/tcpspy.8       |  265 ++++++++++++++++++++++++++++++++++++++++++++++++++
 debian/tcpspy.default |   14 ++
 debian/tcpspy.init    |   53 ++++++++++
 debian/tcpspy.rules.5 |  190 +++++++++++++++++++++++++++++++++++
 11 files changed, 757 insertions(+)

    
download this patch

Patch contents

--- tcpspy-1.7d.orig/debian/tcpspy.default
+++ tcpspy-1.7d/debian/tcpspy.default
@@ -0,0 +1,14 @@
+# Default commandline options for tcpspy. This file is sourced by /bin/sh from
+# /etc/init.d/tcpspy. For more info on commandline options see tcpspy.8
+
+# which rules file to use.  leave commented out for default:
+#RULESFILE=/etc/tcpspy.rules
+
+# run as 'nobody' and 'nogroup' by default.
+OPTIONS="-U nobody -G nogroup"
+
+# NOTE: tcpspy must run as root if you want to use tcpspy's '-p'
+# option to log process filenames.  comment out the above OPTIONS
+# line and uncomment the below.
+#
+#OPTIONS="-p"
--- tcpspy-1.7d.orig/debian/compat
+++ tcpspy-1.7d/debian/compat
@@ -0,0 +1 @@
+7
--- tcpspy-1.7d.orig/debian/docs
+++ tcpspy-1.7d/debian/docs
@@ -0,0 +1 @@
+README
--- tcpspy-1.7d.orig/debian/copyright
+++ tcpspy-1.7d/debian/copyright
@@ -0,0 +1,47 @@
+This package was debianized by Pablo Lorenzzoni <spectra@debian.org> on
+Wed, 18 Apr 2001 19:19:24 -0300.
+
+It was downloaded from http://box3n.gumbynet.org/~fyre/software/tcpspy.html
+but it seems to be relocated at
+http://the.wiretapped.net/security/network-monitoring/tcpspy/
+
+Upstream Author: Tim J. Robbins <tim@robbins.dropbear.id.au>
+
+The debianized version of tcpspy has included an configuration file called
+"/etc/tcpspy.rules", a manpage for it (tcpspy.rules(5)), and an init.d
+script. This was done by the package author for the sake of ease of
+management, and was not included by the upstream author.
+
+tcpspy is distributed under a BSD-style license (original BSD license can
+be found under /usr/share/common-licenses/BSD), which follows:
+
+<follows the original LICENCE file>
+The following statement applies to tcpspy:
+
+Copyright (c) 2000, 2001 Tim J. Robbins. 
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote products
+   derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+<end of original LICENCE file>
+
--- tcpspy-1.7d.orig/debian/changelog
+++ tcpspy-1.7d/debian/changelog
@@ -0,0 +1,106 @@
+tcpspy (1.7d-4) unstable; urgency=low
+
+  * Applied solution proposed by Craig Sanders <cas@taz.net.au>. Now
+    starting up as nobody can be configured via /etc/default/tcpspy.
+    (Closes: #494915).
+  * Bump Standards up to 3.8.4.
+
+ -- Pablo Lorenzzoni <spectra@debian.org>  Wed, 31 Mar 2010 17:11:26 -0300
+
+tcpspy (1.7d-3.1) unstable; urgency=low
+
+  * Non-maintainer upload to solve release goal.
+  * Add LSB dependency header to init.d scripts (Closes: #467408).
+
+ -- Petter Reinholdtsen <pere@debian.org>  Mon, 31 Mar 2008 07:48:08 +0200
+
+tcpspy (1.7d-3) unstable; urgency=low
+
+  * Fixes a line wrap bug in init.d/tcpspy (Closes: #259877)
+
+ -- Pablo Lorenzzoni <spectra@debian.org>  Mon,  9 Aug 2004 00:40:20 -0300
+
+tcpspy (1.7d-2) unstable; urgency=low
+
+  * Upgraded Standard-Version
+  * Add URL to the description
+  * Updated upstream data (mail and URL)
+  * Added /etc/default/tcpspy to init script (Closes: #134688)
+
+ -- Pablo Lorenzzoni <spectra@debian.org>  Tue, 24 Feb 2004 07:46:56 -0300
+
+tcpspy (1.7d-1) unstable; urgency=low
+
+  * Fixes a crash with an empty ruleset.
+  * Fixes the split rule problem.
+  * Fixes the /proc/net/tcp incompatibility problem (Closes: #115613).
+  * The upstream said that he is out of time to release v2.0, so he'll
+    get the 1.x series a little far than originally expected.
+
+ -- Pablo Lorenzzoni <spectra@debian.org>  Fri, 25 Jan 2002 00:00:00 +0000
+
+tcpspy (1.7a-1) unstable; urgency=low
+
+  * This is just a simple patch released by the upstream author that makes
+    tcpspy become a daemon in a more standard way. It also fixes a problem
+    where long service names from /etc/services get truncated at 5
+    characters.
+  * The upstream author has announced the last release of the 1.x series.
+    Soon we'll have the tcpspy v2.0.
+
+ -- Pablo Lorenzzoni <spectra@debian.org>  Mon, 16 Jul 2001 00:04:13 +0000
+
+tcpspy (1.7-1) unstable; urgency=low
+
+  * New upstream release
+  * The upstream author has added a run-time option to change the way tcpspy
+    deal with the log facility. The default, however, is still LOG_DAEMON as
+    it was the latest release.
+  * Also, a warning message is added to the log when tcpspy detects it is
+    running too slow. This was the way the upstream has found to address bug
+    #97179, which will not be fixed until v2.0.
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Fri,  8 Jun 2001 02:20:59 +0000
+
+tcpspy (1.6-3) unstable; urgency=low
+
+  * Logging facility changed from LOG_LOCAL1 to LOG_DAEMON. (Closes: #97980)
+  * Forgot to mention that I've applied upstream patch tcpspy-1.6a to
+    version 1.6-1 (which fixes some error with -f new option).
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Sun, 20 May 2001 15:13:38 +0000
+
+tcpspy (1.6-2) unstable; urgency=low
+
+  * Fixed wrong email address the last changelog.
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Mon,  7 May 2001 02:46:45 +0000
+
+tcpspy (1.6-1) unstable; urgency=low
+
+  * New upstream release.
+  * Removed init.d script hack for using a "read rules from file" feature,
+    since the upstream author had this included.
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Fri,  4 May 2001 23:42:42 +0000
+
+tcpspy (1.5-2) unstable; urgency=low
+
+  * Added groff, bison, flex to Build-Depends. (Closes: #96213)
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Fri,  4 May 2001 03:40:29 +0000
+
+tcpspy (1.5-1) unstable; urgency=low
+
+  * Initial Release. (Closes: #95580)
+  * Adjusted the Makefile to fix $DESTDIR problems and FHS.
+  * Added init.d script
+  * Added /etc/tcpspy.rules file with the rules
+  * Added tcpspy.rules manpage
+  * Modified tcpspy manpage to point to tcpspy.rules manpage
+
+ -- Pablo Lorenzzoni <spectra@linuxbr.com.br>  Wed, 18 Apr 2001 19:19:24 -0300
+
+Local variables:
+mode: debian-changelog
+End:
--- tcpspy-1.7d.orig/debian/control
+++ tcpspy-1.7d/debian/control
@@ -0,0 +1,25 @@
+Source: tcpspy
+Build-Depends: debhelper (>= 7), groff, bison, flex
+Section: net
+Priority: optional
+Maintainer: Pablo Lorenzzoni <spectra@debian.org>
+Standards-Version: 3.8.4
+
+Package: tcpspy
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Incoming and Outgoing TCP/IP connections logger
+ tcpspy is an administrator's tool that logs information
+ about incoming and outgoing TCP/IP connections. It's
+ written in C and uses no libpcap functions, unlike tcpdump.
+ .
+ Connections are selected for logging with rules, similarly
+ to the filter expressions accepted by tcpdump. The
+ following information is logged: username, local address
+ and port, remote address and port, and, optionally, the
+ executable filename.
+ .
+ At present, only the IPv4 protocol is supported.
+ .
+ The current URL for this project is
+ http://the.wiretapped.net/security/network-monitoring/tcpspy/
--- tcpspy-1.7d.orig/debian/tcpspy.rules.5
+++ tcpspy-1.7d/debian/tcpspy.rules.5
@@ -0,0 +1,190 @@
+.\" This file is part of tcpspy Debian package, a TCP/IP connection monitor.
+.\" In truth this is just an snipped version of tcpspy manpage, which is
+.\" copyrighted by Tim J. Robbins under the same terms below.
+.\"
+.\" Copyright (c) 2001 Pablo Lorenzzoni. 
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $Id: tcpspy.rules.5,v 1.33 2001/01/28 13:09:12 fyre Exp $
+.TH TCPSPY.RULES 5 "April 2001" Spectra "tcpspy.rules"
+.SH NAME
+tcpspy.rules \- configuration file for tcpspy
+.SH DESCRIPTION
+.LP
+This file, by default
+.IR /etc/tcpspy.rules ,
+is read by the
+.IR /etc/init.d/tcpspy 
+script at init time in order to configure
+tcpspy (see tcpspy(8)) logger filtering rules.
+.LP
+It might look like:
+.IP
+.nf
+# /etc/tcpspt.rules example
+user "joedoe" and rport 22 and raddr 192.168.1.10
+user 1003
+lport 22 or lport 21
+(lport 23 and user "joedoe") or raddr 192.168.1.20
+.fi
+.LP
+This rules file specifies that tcpspy logs tcp connections according
+to 4 rules (line 1 to line 4 - one per each line) using the boolean
+logic (see below) to evaluate each rule.
+.LP
+This particular example logs conections:
+.TP
+line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote)
+.TP
+line 2 - for user whose UID is 1003
+.TP
+line 3 - to localhost:22 or localhost:21
+.TP
+line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote)
+.LP
+Everything from an "#" signal and the end of the line will not be evaluated.
+.LP
+.PP
+.SS "Rule Syntax - just extracted from tcpspy(8)"
+A rule may be specified with the following comparison operators:
+.TP
+.BI user " uid"
+True if the local user initiating or accepting the connection has the
+.B effective
+user id
+.IR uid .
+.TP
+.BI user " \N'34'username\N'34'"
+Same as above, but using a username instead of a user id.
+.TP
+.BI lport " port"
+True if the local end of the connection has port number
+.IR port .
+.TP
+.BI lport " [low] - [high]"
+True if the local end of the connection has a port number
+greater than or equal to
+.I low
+and less than or equal to
+.IR high .
+If the form
+.I low-
+is used, high is assumed to be 65535.
+If the form
+.I -high
+is used, low is assumed to be 0. It is an error to omit both
+.IR low " and " high .
+.TP
+.BI lport " \N'34'service\N'34'"
+Same as above, but using a service name from
+.I /etc/services
+instead of a port number.
+.TP
+.B rport
+Same as
+.B lport
+but compares the port number of the remote end of the connection.
+.TP
+.BI laddr " n.n.n.n[/m.m.m.m]"
+Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise
+AND of the local address of the connection and "mask". If no mask is specified,
+a default mask with all bits set (255.255.255.255) is used.
+.TP
+.B raddr
+Same as
+.B laddr
+but compares the remote address.
+.TP
+.BI exe " \N'34'pattern\N'34'"
+True if the full filename (including directory) of the executable that 
+created/accepted the connection matches
+.IR pattern ,
+a
+.BR glob (7)-style
+wildcard pattern.
+.IP
+The pattern "" (an empty string) matches connections created/accepted by 
+processes whose executable filename is unknown.
+.IP
+If the
+.B -p
+option is not specified, a warning message will be printed, and the result of
+this comparison will always be true.
+.PP
+Expressions (including the  comparisons listed above) may be joined together
+with the following logical operations:
+.TP
+.IB expr1 " or " expr2
+True if either of
+.I expr1
+or
+.I expr2
+are true (logical OR).
+.TP
+.IB expr1 " and " expr2
+True if both
+.I expr1
+and
+.I expr2
+are true (logical AND).
+.TP
+.BI not " expr"
+True if
+.I expr
+is false (logical NOT).
+.PP
+Rules are evaluated from left to right. Whitespace (space, tab and newline)
+characters are ignored between "words". Rules consisting of only whitespace
+match no connections, but do not cause an error.
+Parentheses, '(' and ')' may be placed around expressions to affect the order
+of evaluation.
+.PP
+.SS "Examples"
+.TP
+These are some sample rules which further demonstrate how they are constructed:
+.TP
+.nf
+user "joe" and rport "ssh"
+.fi
+Log connections made by user "joe" for the service "ssh".
+
+.TP
+.nf
+not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
+.fi
+Log connections made by users "bob" and "joe" to remote port 25 on machines
+not on a fictional "intranet".
+
+.SH AUTHOR
+Tim J. Robbins (tcpspy),
+Pablo Lorenzzoni (this manpage)
+
+.SH SEE ALSO
+.BR glob (7),
+.BR proc (5),
+.BR services (5),
+.BR signal (7),
+.BR syslog (3),
+.BR tcpspy (8)
--- tcpspy-1.7d.orig/debian/tcpspy.init
+++ tcpspy-1.7d/debian/tcpspy.init
@@ -0,0 +1,53 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          tcpspy
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: init script for tcpspy
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/tcpspy
+NAME=tcpspy
+DESC=tcpspy
+RULESFILE=/etc/tcpspy.rules
+OPTIONSFILE=/etc/default/$NAME
+OPTIONS=""
+
+test -f $DAEMON || exit 0
+
+set -e
+
+[ -e $OPTIONSFILE ] && . $OPTIONSFILE
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+	CMDLINE="start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $OPTIONS -f $RULESFILE"
+	eval "$CMDLINE"
+	echo "$NAME."
+	;;
+  stop)
+	echo -n "Stopping $DESC: "
+	start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
+	echo "$NAME."
+	;;
+  restart|force-reload)
+	echo -n "Restarting $DESC: "
+	start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
+	sleep 1
+	CMDLINE="start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $OPTIONS -f $RULESFILE"
+	eval "$CMDLINE"
+	echo "$NAME."
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0
+
--- tcpspy-1.7d.orig/debian/tcpspy.8
+++ tcpspy-1.7d/debian/tcpspy.8
@@ -0,0 +1,265 @@
+.\" This file is part of tcpspy, a TCP/IP connection monitor.
+.\"
+.\" Copyright (c) 2000, 2001 Tim J. Robbins. 
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $Id: tcpspy.8,v 1.39 2001/05/20 11:52:12 tim Stab $
+.TH TCPSPY 8 "May 2001" TJR "tcpspy 1.7"
+.SH NAME
+tcpspy \- TCP/IP Connection Monitor
+.SH SYNOPSIS
+.B tcpspy
+.RB [ "-dp" ]
+.RB [ "-e"
+.IR "rule" ]...
+.RB [ "-f"
+.IR "rulefile" ]...
+.RB [ "-F"
+.IR "facility" ]
+.RB [ "-I"
+.IR "interval" ]
+.RB [ "-U"
+.IR "user" ]
+.RB [ "-G"
+.IR "group" ]
+.SH DESCRIPTION
+.I tcpspy
+logs information about selected incoming and outgoing TCP/IP connections to
+syslog. The following information is logged: username, local address and port,
+remote address, port, and optionally the filename of the executable. At
+present, only the IPv4 protocol is supported.
+.PP
+.SS "Options"
+.TP
+.BI -e " 'rule'"
+Log only connections matching the specified rule. Rule syntax is outlined
+below. If this option is specified more than once, connections matching any
+of the specified rules are logged. You should quote the rule, as shown above.
+.TP
+.BI -f " rulefile"
+Read rules from
+.IR rulefile .
+Each rule is on a new line. The `#' character may be used to add comments;
+everything from this character to the end of the line is ignored.
+
+The
+.B -e
+and
+.B -f
+options may be used together.
+.TP
+.BI -F " facility"
+Log to syslog facility
+.I facility
+instead of the compile-time default setting. See the
+.BR syslog.conf (5)
+manual page for a list of facilities.
+.TP
+.BI -I " interval"
+Update the internal state every
+.I interval
+milliseconds, instead of the default of 1000 ms. Connections that last less
+than
+.I interval
+milliseconds may be missed, so you should experiment to find a value small
+enough that it catches most connections, but not so small that it causes
+tcpspy to use too much CPU time.
+.TP
+.BI -U " user"
+Switch to the specified user after startup.
+.I user
+may be a numeric user id or a user name from the system password file.
+.TP
+.BI -G " group"
+Switch to the specified group after startup.
+.I group
+may be a numeric group id or a group name from the system group file.
+If a username to switch to with the
+.B -U
+option is specified but
+.B -G
+is omitted, tcpspy will switch to that specified user's primary group.
+.TP
+.B -d
+Debugging mode; if this option is specified, tcpspy will not detach from the
+console after initialisation, and will log connections to standard output
+instead of syslog.
+.TP
+.B -p
+Log the filename of the executable that created/accepted the connection.
+You may require superuser privileges to obtain this information for processes
+you do not own (this is a kernel limitation).
+
+This option can greatly increase the amount of CPU time required to
+process each connection/disconnection.
+
+.PP
+.SS "Rule Syntax"
+A rule may be specified with the
+.B -e
+option to log information about connections matching this rule, overriding
+the default of logging all connections.
+.PP
+The following comparison operations are defined:
+.TP
+.BI user " uid"
+True if the local user initiating or accepting the connection has the
+.B effective
+user id
+.IR uid .
+.TP
+.BI user " \N'34'username\N'34'"
+Same as above, but using a username instead of a user id.
+.TP
+.BI lport " port"
+True if the local end of the connection has port number
+.IR port .
+.TP
+.BI lport " [low] - [high]"
+True if the local end of the connection has a port number
+greater than or equal to
+.I low
+and less than or equal to
+.IR high .
+If the form
+.I low-
+is used, high is assumed to be 65535.
+If the form
+.I -high
+is used, low is assumed to be 0. It is an error to omit both
+.IR low " and " high .
+.TP
+.BI lport " \N'34'service\N'34'"
+Same as above, but using a service name from
+.I /etc/services
+instead of a port number.
+.TP
+.B rport
+Same as
+.B lport
+but compares the port number of the remote end of the connection.
+.TP
+.BI laddr " n.n.n.n[/m.m.m.m]"
+Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise
+AND of the local address of the connection and "mask". If no mask is specified,
+a default mask with all bits set (255.255.255.255) is used.
+.TP
+.B raddr
+Same as
+.B laddr
+but compares the remote address.
+.TP
+.BI exe " \N'34'pattern\N'34'"
+True if the full filename (including directory) of the executable that 
+created/accepted the connection matches
+.IR pattern ,
+a
+.BR glob (7)-style
+wildcard pattern.
+
+The pattern "" (an empty string) matches connections created/accepted by 
+processes whose executable filename is unknown.
+
+If the
+.B -p
+option is not specified, a warning message will be printed, and the result of
+this comparison will always be true.
+.PP
+Expressions (including the  comparisons listed above) may be joined together
+with the following logical operations:
+.TP
+.IB expr1 " or " expr2
+True if either of
+.I expr1
+or
+.I expr2
+are true (logical OR).
+.TP
+.IB expr1 " and " expr2
+True if both
+.I expr1
+and
+.I expr2
+are true (logical AND).
+.TP
+.BI not " expr"
+True if
+.I expr
+is false (logical NOT).
+.PP
+Rules are evaluated from left to right. Whitespace (space, tab and newline)
+characters are ignored between "words". Rules consisting of only whitespace
+match no connections, but do not cause an error.
+Parentheses, '(' and ')' may be placed around expressions to affect the order
+of evaluation.
+.PP
+The Examples section contains some sample rules which further demonstrate how
+they are constructed.
+
+.SH "EXIT STATUS"
+.TP
+0
+The daemon was successfully started
+.TP
+>0
+An error occurred
+
+.SH SIGNALS
+.TP
+.I TERM
+Shut down at most
+.I interval
+milliseconds from now.
+.TP
+.I INT
+(Debugging mode only) Handled identically to
+.IR TERM .
+.PP
+All other signals retain their default behaviour, which is documented in
+.BR signal (7).
+
+.SH EXAMPLES
+.TP
+tcpspy -e 'user "joe" and rport "ssh"'
+Log connections made by user "joe" for the service "ssh".
+.TP
+tcpspy -e 'not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")'
+Log connections made by users "bob" and "joe" to remote port 25 on machines
+not on a fictional "intranet".
+.TP
+tcpspy -e 'exe "/usr/bin/irc"'
+Log connections made by /usr/bin/irc (probably ircII).
+
+.SH AUTHOR
+Tim J. Robbins <tim@robbins.dropbear.id.au>
+
+.SH SEE ALSO
+.BR glob (7),
+.BR proc (5),
+.BR services (5),
+.BR signal (7),
+.BR syslog (3),
+.BR syslog.conf (5),
+.BR tcpspy.rules (5)
--- tcpspy-1.7d.orig/debian/rules
+++ tcpspy-1.7d/debian/rules
@@ -0,0 +1,54 @@
+#!/usr/bin/make -f
+# tcpspy's debian/rules
+#  by Pablo Lorenzzoni
+
+build: build-stamp
+build-stamp:
+	dh_testdir
+	
+	$(MAKE)
+
+	touch build-stamp
+
+clean:
+	dh_testdir
+	dh_testroot
+	rm -f build-stamp
+
+	[ ! -f Makefile ] || $(MAKE) clean
+
+	dh_clean
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_prep
+	dh_installdirs
+
+	$(MAKE) prefix=`pwd`/debian/`dh_listpackages`/ install
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+	dh_testdir
+	dh_testroot
+	dh_installdocs
+	dh_installinit
+	dh_installman
+	dh_installchangelogs 
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+
+	dh_installdeb
+	dh_shlibdeps
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
--- tcpspy-1.7d.orig/debian/source/format
+++ tcpspy-1.7d/debian/source/format
@@ -0,0 +1 @@
+1.0