@@ -0,0 +1,190 @@
+.\" This file is part of tcpspy Debian package, a TCP/IP connection monitor.
+.\" In truth this is just an snipped version of tcpspy manpage, which is
+.\" copyrighted by Tim J. Robbins under the same terms below.
+.\" Copyright (c) 2001 Pablo Lorenzzoni.
+.\" All rights reserved.
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" $Id: tcpspy.rules.5,v 1.33 2001/01/28 13:09:12 fyre Exp $
+.TH TCPSPY.RULES 5 "April 2001" Spectra "tcpspy.rules"
+tcpspy.rules \- configuration file for tcpspy
+This file, by default
+.IR /etc/tcpspy.rules ,
+is read by the
+script at init time in order to configure
+tcpspy (see tcpspy(8)) logger filtering rules.
+It might look like:
+# /etc/tcpspt.rules example
+user "joedoe" and rport 22 and raddr 192.168.1.10
+lport 22 or lport 21
+(lport 23 and user "joedoe") or raddr 192.168.1.20
+This rules file specifies that tcpspy logs tcp connections according
+to 4 rules (line 1 to line 4 - one per each line) using the boolean
+logic (see below) to evaluate each rule.
+This particular example logs conections:
+line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote)
+line 2 - for user whose UID is 1003
+line 3 - to localhost:22 or localhost:21
+line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote)
+Everything from an "#" signal and the end of the line will not be evaluated.
+.SS "Rule Syntax - just extracted from tcpspy(8)"
+A rule may be specified with the following comparison operators:
+.BI user " uid"
+True if the local user initiating or accepting the connection has the
+.IR uid .
+.BI user " \N'34'username\N'34'"
+Same as above, but using a username instead of a user id.
+.BI lport " port"
+True if the local end of the connection has port number
+.IR port .
+.BI lport " [low] - [high]"
+True if the local end of the connection has a port number
+greater than or equal to
+and less than or equal to
+.IR high .
+If the form
+is used, high is assumed to be 65535.
+If the form
+is used, low is assumed to be 0. It is an error to omit both
+.IR low " and " high .
+.BI lport " \N'34'service\N'34'"
+Same as above, but using a service name from
+instead of a port number.
+but compares the port number of the remote end of the connection.
+.BI laddr " n.n.n.n[/m.m.m.m]"
+Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise
+AND of the local address of the connection and "mask". If no mask is specified,
+a default mask with all bits set (255.255.255.255) is used.
+but compares the remote address.
+.BI exe " \N'34'pattern\N'34'"
+True if the full filename (including directory) of the executable that
+created/accepted the connection matches
+.IR pattern ,
+.BR glob (7)-style
+The pattern "" (an empty string) matches connections created/accepted by
+processes whose executable filename is unknown.
+option is not specified, a warning message will be printed, and the result of
+this comparison will always be true.
+Expressions (including the comparisons listed above) may be joined together
+with the following logical operations:
+.IB expr1 " or " expr2
+True if either of
+are true (logical OR).
+.IB expr1 " and " expr2
+True if both
+are true (logical AND).
+.BI not " expr"
+is false (logical NOT).
+Rules are evaluated from left to right. Whitespace (space, tab and newline)
+characters are ignored between "words". Rules consisting of only whitespace
+match no connections, but do not cause an error.
+Parentheses, '(' and ')' may be placed around expressions to affect the order
+These are some sample rules which further demonstrate how they are constructed:
+user "joe" and rport "ssh"
+Log connections made by user "joe" for the service "ssh".
+not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
+Log connections made by users "bob" and "joe" to remote port 25 on machines
+not on a fictional "intranet".
+Tim J. Robbins (tcpspy),
+Pablo Lorenzzoni (this manpage)
+.SH SEE ALSO
+.BR glob (7),
+.BR proc (5),
+.BR services (5),
+.BR signal (7),
+.BR syslog (3),
+.BR tcpspy (8)