tcpspy.rules - configuration file for tcpspy
This file, by default /etc/tcpspy.rules, is read by the
/etc/init.d/tcpspy script at init time in order to configure tcpspy
(see tcpspy(8)) logger filtering rules.
It might look like:
-
# /etc/tcpspt.rules example
user "joedoe" and rport 22 and raddr 192.168.1.10
user 1003
lport 22 or lport 21
(lport 23 and user "joedoe") or raddr 192.168.1.20
This rules file specifies that tcpspy logs tcp connections
according to 4 rules (line 1 to line 4 - one per each line) using the
boolean logic (see below) to evaluate each rule.
This particular example logs connections:
- line 1 - for user
"joedoe" connecting to 192.168.1.10:22 (remote)
- line 2 - for user whose
UID is 1003
- line 3 - to *:22 or *:21
(both locally)
- line 4 - for user
"joedoe" to *:23 (local) or to 192.168.1.20 (remote)
Everything from an "#" signal and the end of the line
will not be evaluated.
A rule may be specified with the following comparison
operators:
- user
uid
- True if the local user initiating or accepting the connection has the
effective user id uid.
- user
"username"
- Same as above, but using a username instead of a user id.
- ip
- True if the connection is IPv4.
- ip6
- True if the connection is IPv6.
- lport
port
- True if the local end of the connection has port number port.
- lport [low] -
[high]
- True if the local end of the connection has a port number greater than or
equal to low and less than or equal to high. If the form
low- is used, high is assumed to be 65535. If the form -high
is used, low is assumed to be 0. It is an error to omit both low
and high.
- lport
"service"
- Same as above, but using a service name from /etc/services instead
of a port number.
- rport
- Same as lport but compares the port number of the remote end of the
connection.
- laddr
n.n.n.n[/m.m.m.m]
- laddr
n.n.n.n/m
- laddr
ip6-addr[/m]
- Interpreted as a "net/mask" expression; true if "net"
is equal to the bitwise AND of the local address of the connection and
"mask". If no mask is specified, a default mask with all bits
set (255.255.255.255) is used. The CIDR type netmask is also possible.
With IPv6 only a prefix length netmask is allowed, and the length defaults
to 128. Depending on the address family, these rules contain an implicit
match condition "ip" or "ip6", respectively.
- raddr
- Same as laddr but compares the remote address.
- exe
"pattern"
- True if the full filename (including directory) of the executable that
created/accepted the connection matches pattern, a
glob(7)-style wildcard pattern.
- The pattern "" (an empty string) matches connections
created/accepted by processes whose executable filename is unknown.
- If the -p option is not specified, a warning message will be
printed, and the result of this comparison will always be true.
Expressions (including the comparisons listed above) may be joined
together with the following logical operations:
- expr1 or
expr2
- True if either of expr1 or expr2 are true (logical OR).
- expr1 and
expr2
- True if both expr1 and expr2 are true (logical AND).
- not expr
- True if expr is false (logical NOT).
Rules are evaluated from left to right. Whitespace (space, tab and
newline) characters are ignored between "words". Rules consisting
of only whitespace match no connections, but do not cause an error.
Parentheses, '(' and ')' may be placed around expressions to affect the
order of evaluation.
Tim J. Robbins (tcpspy), Pablo Lorenzzoni (this manpage) and Mats
Erik Andersson (changes for IPv6)
glob(7), proc(5), services(5),
signal(7), syslog(3), tcpspy(8)