@@ -0,0 +1,60 @@
+# tcpspy.rules for tcpspy Debian GNU/Linux package
+# Written by Pablo Lorenzzoni <firstname.lastname@example.org>
+# Lines containing a # will be ignored. Blank lines too.
+# Rule Syntax - this is a copy of tcpspy.rules(5)
+# A rule may be specified with the following comparison
+# user uid
+# True if the local user initiating or accepting the
+# connection has the effective user id uid.
+# user "username"
+# Same as above, but using a username instead of a
+# user id.
+# lport port
+# True if the local end of the connection has port
+# number port.
+# lport [low] - [high]
+# True if the local end of the connection has a port
+# number greater than or equal to low and less than
+# or equal to high. If the form low- is used, high
+# is assumed to be 65535. If the form -high is used,
+# low is assumed to be 0. It is an error to omit both
+# low and high.
+# lport "service"
+# Same as above, but using a service name from
+# /etc/services instead of a port number.
+# rport Same as lport but compares the port number of the
+# remote end of the connection.
+# laddr n.n.n.n[/m.m.m.m]
+# Interpreted as a "net/mask" expression; true if
+# "net" is equal to the bitwise AND of the local
+# address of the connection and "mask". If no mask is
+# specified, a default mask with all bits set
+# (255.255.255.255) is used.
+# raddr Same as laddr but compares the remote address.
+# exe "pattern"
+# True if the full filename (including directory) of
+# the executable that created/accepted the connection
+# matches pattern, a glob(7)-style wildcard pattern.
+# The pattern "" (an empty string) matches connec-
+# tions created/accepted by processes whose exe-
+# cutable filename is unknown.
+# If the -p option is not specified, a warning mes-
+# sage will be printed, and the result of this com-
+# parison will always be true.
+# By default this file is empty. This means tcpspy will log everything
@@ -1,11 +1,15 @@
# Makefile for tcpspy
# Tim J. Robbins, 2000
+# Modified for Debian GNU/Linux by Pablo Lorenzzoni
# $Id: Makefile,v 2.5 2001/04/25 01:40:17 tim Stab $
# You may specify the syslog facility to use here. If in doubt, use LOG_DAEMON
# or LOG_LOCAL[0-7]. See the syslog(3) manual page for a complete list of
+# Edited for Debian GNU/Linux
+# original line:
+# default: CFLAGS+=-DFACILITY=LOG_LOCAL1
# You may also override the default number of buckets in the connection table
# here, but this not usually necessary.
@@ -17,8 +21,19 @@
# Add any other options for the compiler here
CFLAGS+=-O2 -Wall -W
+# Added for Debian GNU/Linux.
+BIN = $(prefix)/usr/sbin
+ETC = $(prefix)/etc
+MANPAGE8 = $(prefix)/usr/share/man/man8
+MANPAGE5 = $(prefix)/usr/share/man/man5
+DOC = $(prefix)/usr/share/doc/tcpspy
+# Edited for Debian GNU/Linux
+# original line:
+# default: tcpspy
+default: tcpspy doc
all: tcpspy doc
tcpspy: log.o rule_lexer.o rule_grammar.o rule.o tcpspy.o
@@ -39,14 +54,30 @@
- groff -Tps -man tcpspy.8 >tcpspy.ps
- ps2pdf tcpspy.ps tcpspy.pdf
+ groff -Tps -man tcpspy.8 > tcpspy.ps
+# Removed for preventing conflicts with Debian GNU/Linux autobuilders
+# (mainly lack of gs and fonts packages)
+# ps2pdf tcpspy.ps tcpspy.pdf
+# Added for Debian GNU/Linux (compatibility with the previous version)
+ groff -Thtml -man tcpspy.8 > tcpspy.8.html
rm -f log.o rule_lexer.o rule_grammar.o rule_lexer.c \
rule_grammar.c rule_grammar.h rule.o tcpspy.o tcpspy \
- tcpspy.ps tcpspy.pdf
+ tcpspy.8.html tcpspy.ps tcpspy.pdf
- install -m 644 -D tcpspy.8 /usr/local/man/man8/tcpspy.8
- install -m 755 -D tcpspy /usr/local/sbin/tcpspy
+# Edited for Debian GNU/Linux
+# original lines:
+# install: tcpspy
+# install -m 644 -D tcpspy.8 /usr/local/man/man8/tcpspy.8
+# install -m 755 -D tcpspy /usr/local/sbin/tcpspy
+install: tcpspy doc
+ install -d $(BIN) $(ETC) $(MANPAGE8) $(MANPAGE5)
+ install -m 755 ./tcpspy $(BIN)
+ install -m 644 tcpspy.rules $(ETC)
+ install -m 644 tcpspy.8 $(MANPAGE8)
+ install -m 644 tcpspy.rules.5 $(MANPAGE5)
+ install -d $(DOC)
+ cp -a tcpspy.8.html $(DOC)
+ cp -a tcpspy.ps $(DOC)
@@ -0,0 +1,190 @@
+.\" This file is part of tcpspy Debian package, a TCP/IP connection monitor.
+.\" In truth this is just an snipped version of tcpspy manpage, which is
+.\" copyrighted by Tim J. Robbins under the same terms below.
+.\" Copyright (c) 2001 Pablo Lorenzzoni.
+.\" All rights reserved.
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" $Id: tcpspy.rules.5,v 1.33 2001/01/28 13:09:12 fyre Exp $
+.TH TCPSPY.RULES 5 "April 2001" Spectra "tcpspy.rules"
+tcpspy.rules \- configuration file for tcpspy
+This file, by default
+.IR /etc/tcpspy.rules ,
+is read by the
+script at init time in order to configure
+tcpspy (see tcpspy(8)) logger filtering rules.
+It might look like:
+# /etc/tcpspt.rules example
+user "joedoe" and rport 22 and raddr 192.168.1.10
+lport 22 or lport 21
+(lport 23 and user "joedoe") or raddr 192.168.1.20
+This rules file specifies that tcpspy logs tcp connections according
+to 4 rules (line 1 to line 4 - one per each line) using the boolean
+logic (see below) to evaluate each rule.
+This particular example logs conections:
+line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote)
+line 2 - for user whose UID is 1003
+line 3 - to localhost:22 or localhost:21
+line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote)
+Everything from an "#" signal and the end of the line will not be evaluated.
+.SS "Rule Syntax - just extracted from tcpspy(8)"
+A rule may be specified with the following comparison operators:
+.BI user " uid"
+True if the local user initiating or accepting the connection has the
+.IR uid .
+.BI user " \N'34'username\N'34'"
+Same as above, but using a username instead of a user id.
+.BI lport " port"
+True if the local end of the connection has port number
+.IR port .
+.BI lport " [low] - [high]"
+True if the local end of the connection has a port number
+greater than or equal to
+and less than or equal to
+.IR high .
+If the form
+is used, high is assumed to be 65535.
+If the form
+is used, low is assumed to be 0. It is an error to omit both
+.IR low " and " high .
+.BI lport " \N'34'service\N'34'"
+Same as above, but using a service name from
+instead of a port number.
+but compares the port number of the remote end of the connection.
+.BI laddr " n.n.n.n[/m.m.m.m]"
+Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise
+AND of the local address of the connection and "mask". If no mask is specified,
+a default mask with all bits set (255.255.255.255) is used.
+but compares the remote address.
+.BI exe " \N'34'pattern\N'34'"
+True if the full filename (including directory) of the executable that
+created/accepted the connection matches
+.IR pattern ,
+.BR glob (7)-style
+The pattern "" (an empty string) matches connections created/accepted by
+processes whose executable filename is unknown.
+option is not specified, a warning message will be printed, and the result of
+this comparison will always be true.
+Expressions (including the comparisons listed above) may be joined together
+with the following logical operations:
+.IB expr1 " or " expr2
+True if either of
+are true (logical OR).
+.IB expr1 " and " expr2
+True if both
+are true (logical AND).
+.BI not " expr"
+is false (logical NOT).
+Rules are evaluated from left to right. Whitespace (space, tab and newline)
+characters are ignored between "words". Rules consisting of only whitespace
+match no connections, but do not cause an error.
+Parentheses, '(' and ')' may be placed around expressions to affect the order
+These are some sample rules which further demonstrate how they are constructed:
+user "joe" and rport "ssh"
+Log connections made by user "joe" for the service "ssh".
+not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
+Log connections made by users "bob" and "joe" to remote port 25 on machines
+not on a fictional "intranet".
+Tim J. Robbins (tcpspy),
+Pablo Lorenzzoni (this manpage)
+.SH SEE ALSO
+.BR glob (7),
+.BR proc (5),
+.BR services (5),
+.BR signal (7),
+.BR syslog (3),
+.BR tcpspy (8)