tcpspy.rules - configuration file for tcpspy
This file, by default /etc/tcpspy.rules
, is read by the
script at init time in order to configure tcpspy
(see tcpspy(8)) logger filtering rules.
It might look like:
# /etc/tcpspt.rules example
user "joedoe" and rport 22 and raddr 192.168.1.10
lport 22 or lport 21
(lport 23 and user "joedoe") or raddr 192.168.1.20
This rules file specifies that tcpspy logs tcp connections according to 4 rules
(line 1 to line 4 - one per each line) using the boolean logic (see below) to
evaluate each rule.
This particular example logs connections:
- line 1 - for user "joedoe" connecting to
- line 2 - for user whose UID is 1003
- line 3 - to *:22 or *:21 (both locally)
- line 4 - for user "joedoe" to *:23 (local) or to
Everything from an "#" signal and the end of the line will not be
A rule may be specified with the following comparison operators:
- user uid
- True if the local user initiating or accepting the
connection has the effective user id uid.
- user "username"
- Same as above, but using a username instead of a user
- True if the connection is IPv4.
- True if the connection is IPv6.
- lport port
- True if the local end of the connection has port number
- lport [low] - [high]
- True if the local end of the connection has a port number
greater than or equal to low and less than or equal to high.
If the form low- is used, high is assumed to be 65535. If the form
-high is used, low is assumed to be 0. It is an error to omit both
low and high.
- lport "service"
- Same as above, but using a service name from
/etc/services instead of a port number.
- Same as lport but compares the port number of the
remote end of the connection.
- laddr n.n.n.n[/m.m.m.m]
- laddr n.n.n.n/m
- laddr ip6-addr[/m]
- Interpreted as a "net/mask" expression; true if
"net" is equal to the bitwise AND of the local address of the
connection and "mask". If no mask is specified, a default mask
with all bits set (255.255.255.255) is used. The CIDR type netmask is also
possible. With IPv6 only a prefix length netmask is allowed, and the
length defaults to 128. Depending on the address family, these rules
contain an implicit match condition "ip" or "ip6",
- Same as laddr but compares the remote address.
- exe "pattern"
- True if the full filename (including directory) of the
executable that created/accepted the connection matches pattern, a
glob(7)-style wildcard pattern.
- The pattern "" (an empty string) matches
connections created/accepted by processes whose executable filename is
- If the -p option is not specified, a warning message
will be printed, and the result of this comparison will always be
Expressions (including the comparisons listed above) may be joined together with
the following logical operations:
- expr1 or expr2
- True if either of expr1 or expr2 are true
- expr1 and expr2
- True if both expr1 and expr2 are true
- not expr
- True if expr is false (logical NOT).
Rules are evaluated from left to right. Whitespace (space, tab and newline)
characters are ignored between "words". Rules consisting of only
whitespace match no connections, but do not cause an error. Parentheses, '('
and ')' may be placed around expressions to affect the order of evaluation.
- These are some sample rules which further demonstrate how
they are constructed:
user "joe" and rport "ssh"
Log connections made by user "joe" for the service
not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")
Log connections made by users "bob" and "joe" to remote
port 25 on machines not on a fictional "intranet".
Tim J. Robbins (tcpspy), Pablo Lorenzzoni (this manpage) and Mats Erik Andersson
(changes for IPv6)