--- tcpspy-1.7d.orig/tcpspy.rules +++ tcpspy-1.7d/tcpspy.rules @@ -0,0 +1,60 @@ +# tcpspy.rules for tcpspy Debian GNU/Linux package +# Written by Pablo Lorenzzoni +# +# Lines containing a # will be ignored. Blank lines too. +# +# Rule Syntax - this is a copy of tcpspy.rules(5) +# A rule may be specified with the following comparison +# operators: +# +# user uid +# True if the local user initiating or accepting the +# connection has the effective user id uid. +# +# user "username" +# Same as above, but using a username instead of a +# user id. +# +# lport port +# True if the local end of the connection has port +# number port. +# +# lport [low] - [high] +# True if the local end of the connection has a port +# number greater than or equal to low and less than +# or equal to high. If the form low- is used, high +# is assumed to be 65535. If the form -high is used, +# low is assumed to be 0. It is an error to omit both +# low and high. +# +# lport "service" +# Same as above, but using a service name from +# /etc/services instead of a port number. +# +# rport Same as lport but compares the port number of the +# remote end of the connection. +# +# laddr n.n.n.n[/m.m.m.m] +# Interpreted as a "net/mask" expression; true if +# "net" is equal to the bitwise AND of the local +# address of the connection and "mask". If no mask is +# specified, a default mask with all bits set +# (255.255.255.255) is used. +# +# raddr Same as laddr but compares the remote address. +# +# exe "pattern" +# True if the full filename (including directory) of +# the executable that created/accepted the connection +# matches pattern, a glob(7)-style wildcard pattern. +# +# The pattern "" (an empty string) matches connec- +# tions created/accepted by processes whose exe- +# cutable filename is unknown. +# +# If the -p option is not specified, a warning mes- +# sage will be printed, and the result of this com- +# parison will always be true. +# +# By default this file is empty. This means tcpspy will log everything +# --- tcpspy-1.7d.orig/Makefile +++ tcpspy-1.7d/Makefile @@ -1,11 +1,15 @@ # Makefile for tcpspy # Tim J. Robbins, 2000 +# Modified for Debian GNU/Linux by Pablo Lorenzzoni # $Id: Makefile,v 2.5 2001/04/25 01:40:17 tim Stab $ # You may specify the syslog facility to use here. If in doubt, use LOG_DAEMON # or LOG_LOCAL[0-7]. See the syslog(3) manual page for a complete list of # facilities. -CFLAGS+=-DFACILITY=LOG_LOCAL1 +# Edited for Debian GNU/Linux +# original line: +# default: CFLAGS+=-DFACILITY=LOG_LOCAL1 +CFLAGS+=-DFACILITY=LOG_DAEMON # You may also override the default number of buckets in the connection table # here, but this not usually necessary. @@ -17,8 +21,19 @@ # Add any other options for the compiler here CFLAGS+=-O2 -Wall -W +# Added for Debian GNU/Linux. +prefix = +BIN = $(prefix)/usr/sbin +ETC = $(prefix)/etc +MANPAGE8 = $(prefix)/usr/share/man/man8 +MANPAGE5 = $(prefix)/usr/share/man/man5 +DOC = $(prefix)/usr/share/doc/tcpspy -default: tcpspy + +# Edited for Debian GNU/Linux +# original line: +# default: tcpspy +default: tcpspy doc all: tcpspy doc tcpspy: log.o rule_lexer.o rule_grammar.o rule.o tcpspy.o @@ -39,14 +54,30 @@ tcpspy.o: tcpspy.c doc: - groff -Tps -man tcpspy.8 >tcpspy.ps - ps2pdf tcpspy.ps tcpspy.pdf + groff -Tps -man tcpspy.8 > tcpspy.ps + +# Removed for preventing conflicts with Debian GNU/Linux autobuilders +# (mainly lack of gs and fonts packages) +# ps2pdf tcpspy.ps tcpspy.pdf +# Added for Debian GNU/Linux (compatibility with the previous version) + groff -Thtml -man tcpspy.8 > tcpspy.8.html clean: rm -f log.o rule_lexer.o rule_grammar.o rule_lexer.c \ rule_grammar.c rule_grammar.h rule.o tcpspy.o tcpspy \ - tcpspy.ps tcpspy.pdf + tcpspy.8.html tcpspy.ps tcpspy.pdf -install: tcpspy - install -m 644 -D tcpspy.8 /usr/local/man/man8/tcpspy.8 - install -m 755 -D tcpspy /usr/local/sbin/tcpspy +# Edited for Debian GNU/Linux +# original lines: +# install: tcpspy +# install -m 644 -D tcpspy.8 /usr/local/man/man8/tcpspy.8 +# install -m 755 -D tcpspy /usr/local/sbin/tcpspy +install: tcpspy doc + install -d $(BIN) $(ETC) $(MANPAGE8) $(MANPAGE5) + install -m 755 ./tcpspy $(BIN) + install -m 644 tcpspy.rules $(ETC) + install -m 644 tcpspy.8 $(MANPAGE8) + install -m 644 tcpspy.rules.5 $(MANPAGE5) + install -d $(DOC) + cp -a tcpspy.8.html $(DOC) + cp -a tcpspy.ps $(DOC) --- tcpspy-1.7d.orig/tcpspy.rules.5 +++ tcpspy-1.7d/tcpspy.rules.5 @@ -0,0 +1,190 @@ +.\" This file is part of tcpspy Debian package, a TCP/IP connection monitor. +.\" In truth this is just an snipped version of tcpspy manpage, which is +.\" copyrighted by Tim J. Robbins under the same terms below. +.\" +.\" Copyright (c) 2001 Pablo Lorenzzoni. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $Id: tcpspy.rules.5,v 1.33 2001/01/28 13:09:12 fyre Exp $ +.TH TCPSPY.RULES 5 "April 2001" Spectra "tcpspy.rules" +.SH NAME +tcpspy.rules \- configuration file for tcpspy +.SH DESCRIPTION +.LP +This file, by default +.IR /etc/tcpspy.rules , +is read by the +.IR /etc/init.d/tcpspy +script at init time in order to configure +tcpspy (see tcpspy(8)) logger filtering rules. +.LP +It might look like: +.IP +.nf +# /etc/tcpspt.rules example +user "joedoe" and rport 22 and raddr 192.168.1.10 +user 1003 +lport 22 or lport 21 +(lport 23 and user "joedoe") or raddr 192.168.1.20 +.fi +.LP +This rules file specifies that tcpspy logs tcp connections according +to 4 rules (line 1 to line 4 - one per each line) using the boolean +logic (see below) to evaluate each rule. +.LP +This particular example logs conections: +.TP +line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote) +.TP +line 2 - for user whose UID is 1003 +.TP +line 3 - to localhost:22 or localhost:21 +.TP +line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote) +.LP +Everything from an "#" signal and the end of the line will not be evaluated. +.LP +.PP +.SS "Rule Syntax - just extracted from tcpspy(8)" +A rule may be specified with the following comparison operators: +.TP +.BI user " uid" +True if the local user initiating or accepting the connection has the +.B effective +user id +.IR uid . +.TP +.BI user " \N'34'username\N'34'" +Same as above, but using a username instead of a user id. +.TP +.BI lport " port" +True if the local end of the connection has port number +.IR port . +.TP +.BI lport " [low] - [high]" +True if the local end of the connection has a port number +greater than or equal to +.I low +and less than or equal to +.IR high . +If the form +.I low- +is used, high is assumed to be 65535. +If the form +.I -high +is used, low is assumed to be 0. It is an error to omit both +.IR low " and " high . +.TP +.BI lport " \N'34'service\N'34'" +Same as above, but using a service name from +.I /etc/services +instead of a port number. +.TP +.B rport +Same as +.B lport +but compares the port number of the remote end of the connection. +.TP +.BI laddr " n.n.n.n[/m.m.m.m]" +Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise +AND of the local address of the connection and "mask". If no mask is specified, +a default mask with all bits set (255.255.255.255) is used. +.TP +.B raddr +Same as +.B laddr +but compares the remote address. +.TP +.BI exe " \N'34'pattern\N'34'" +True if the full filename (including directory) of the executable that +created/accepted the connection matches +.IR pattern , +a +.BR glob (7)-style +wildcard pattern. +.IP +The pattern "" (an empty string) matches connections created/accepted by +processes whose executable filename is unknown. +.IP +If the +.B -p +option is not specified, a warning message will be printed, and the result of +this comparison will always be true. +.PP +Expressions (including the comparisons listed above) may be joined together +with the following logical operations: +.TP +.IB expr1 " or " expr2 +True if either of +.I expr1 +or +.I expr2 +are true (logical OR). +.TP +.IB expr1 " and " expr2 +True if both +.I expr1 +and +.I expr2 +are true (logical AND). +.TP +.BI not " expr" +True if +.I expr +is false (logical NOT). +.PP +Rules are evaluated from left to right. Whitespace (space, tab and newline) +characters are ignored between "words". Rules consisting of only whitespace +match no connections, but do not cause an error. +Parentheses, '(' and ')' may be placed around expressions to affect the order +of evaluation. +.PP +.SS "Examples" +.TP +These are some sample rules which further demonstrate how they are constructed: +.TP +.nf +user "joe" and rport "ssh" +.fi +Log connections made by user "joe" for the service "ssh". + +.TP +.nf +not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe") +.fi +Log connections made by users "bob" and "joe" to remote port 25 on machines +not on a fictional "intranet". + +.SH AUTHOR +Tim J. Robbins (tcpspy), +Pablo Lorenzzoni (this manpage) + +.SH SEE ALSO +.BR glob (7), +.BR proc (5), +.BR services (5), +.BR signal (7), +.BR syslog (3), +.BR tcpspy (8) --- tcpspy-1.7d.orig/debian/tcpspy.default +++ tcpspy-1.7d/debian/tcpspy.default @@ -0,0 +1,14 @@ +# Default commandline options for tcpspy. This file is sourced by /bin/sh from +# /etc/init.d/tcpspy. For more info on commandline options see tcpspy.8 + +# which rules file to use. leave commented out for default: +#RULESFILE=/etc/tcpspy.rules + +# run as 'nobody' and 'nogroup' by default. +OPTIONS="-U nobody -G nogroup" + +# NOTE: tcpspy must run as root if you want to use tcpspy's '-p' +# option to log process filenames. comment out the above OPTIONS +# line and uncomment the below. +# +#OPTIONS="-p" --- tcpspy-1.7d.orig/debian/compat +++ tcpspy-1.7d/debian/compat @@ -0,0 +1 @@ +7 --- tcpspy-1.7d.orig/debian/docs +++ tcpspy-1.7d/debian/docs @@ -0,0 +1 @@ +README --- tcpspy-1.7d.orig/debian/copyright +++ tcpspy-1.7d/debian/copyright @@ -0,0 +1,47 @@ +This package was debianized by Pablo Lorenzzoni on +Wed, 18 Apr 2001 19:19:24 -0300. + +It was downloaded from http://box3n.gumbynet.org/~fyre/software/tcpspy.html +but it seems to be relocated at +http://the.wiretapped.net/security/network-monitoring/tcpspy/ + +Upstream Author: Tim J. Robbins + +The debianized version of tcpspy has included an configuration file called +"/etc/tcpspy.rules", a manpage for it (tcpspy.rules(5)), and an init.d +script. This was done by the package author for the sake of ease of +management, and was not included by the upstream author. + +tcpspy is distributed under a BSD-style license (original BSD license can +be found under /usr/share/common-licenses/BSD), which follows: + + +The following statement applies to tcpspy: + +Copyright (c) 2000, 2001 Tim J. Robbins. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + + --- tcpspy-1.7d.orig/debian/changelog +++ tcpspy-1.7d/debian/changelog @@ -0,0 +1,106 @@ +tcpspy (1.7d-4) unstable; urgency=low + + * Applied solution proposed by Craig Sanders . Now + starting up as nobody can be configured via /etc/default/tcpspy. + (Closes: #494915). + * Bump Standards up to 3.8.4. + + -- Pablo Lorenzzoni Wed, 31 Mar 2010 17:11:26 -0300 + +tcpspy (1.7d-3.1) unstable; urgency=low + + * Non-maintainer upload to solve release goal. + * Add LSB dependency header to init.d scripts (Closes: #467408). + + -- Petter Reinholdtsen Mon, 31 Mar 2008 07:48:08 +0200 + +tcpspy (1.7d-3) unstable; urgency=low + + * Fixes a line wrap bug in init.d/tcpspy (Closes: #259877) + + -- Pablo Lorenzzoni Mon, 9 Aug 2004 00:40:20 -0300 + +tcpspy (1.7d-2) unstable; urgency=low + + * Upgraded Standard-Version + * Add URL to the description + * Updated upstream data (mail and URL) + * Added /etc/default/tcpspy to init script (Closes: #134688) + + -- Pablo Lorenzzoni Tue, 24 Feb 2004 07:46:56 -0300 + +tcpspy (1.7d-1) unstable; urgency=low + + * Fixes a crash with an empty ruleset. + * Fixes the split rule problem. + * Fixes the /proc/net/tcp incompatibility problem (Closes: #115613). + * The upstream said that he is out of time to release v2.0, so he'll + get the 1.x series a little far than originally expected. + + -- Pablo Lorenzzoni Fri, 25 Jan 2002 00:00:00 +0000 + +tcpspy (1.7a-1) unstable; urgency=low + + * This is just a simple patch released by the upstream author that makes + tcpspy become a daemon in a more standard way. It also fixes a problem + where long service names from /etc/services get truncated at 5 + characters. + * The upstream author has announced the last release of the 1.x series. + Soon we'll have the tcpspy v2.0. + + -- Pablo Lorenzzoni Mon, 16 Jul 2001 00:04:13 +0000 + +tcpspy (1.7-1) unstable; urgency=low + + * New upstream release + * The upstream author has added a run-time option to change the way tcpspy + deal with the log facility. The default, however, is still LOG_DAEMON as + it was the latest release. + * Also, a warning message is added to the log when tcpspy detects it is + running too slow. This was the way the upstream has found to address bug + #97179, which will not be fixed until v2.0. + + -- Pablo Lorenzzoni Fri, 8 Jun 2001 02:20:59 +0000 + +tcpspy (1.6-3) unstable; urgency=low + + * Logging facility changed from LOG_LOCAL1 to LOG_DAEMON. (Closes: #97980) + * Forgot to mention that I've applied upstream patch tcpspy-1.6a to + version 1.6-1 (which fixes some error with -f new option). + + -- Pablo Lorenzzoni Sun, 20 May 2001 15:13:38 +0000 + +tcpspy (1.6-2) unstable; urgency=low + + * Fixed wrong email address the last changelog. + + -- Pablo Lorenzzoni Mon, 7 May 2001 02:46:45 +0000 + +tcpspy (1.6-1) unstable; urgency=low + + * New upstream release. + * Removed init.d script hack for using a "read rules from file" feature, + since the upstream author had this included. + + -- Pablo Lorenzzoni Fri, 4 May 2001 23:42:42 +0000 + +tcpspy (1.5-2) unstable; urgency=low + + * Added groff, bison, flex to Build-Depends. (Closes: #96213) + + -- Pablo Lorenzzoni Fri, 4 May 2001 03:40:29 +0000 + +tcpspy (1.5-1) unstable; urgency=low + + * Initial Release. (Closes: #95580) + * Adjusted the Makefile to fix $DESTDIR problems and FHS. + * Added init.d script + * Added /etc/tcpspy.rules file with the rules + * Added tcpspy.rules manpage + * Modified tcpspy manpage to point to tcpspy.rules manpage + + -- Pablo Lorenzzoni Wed, 18 Apr 2001 19:19:24 -0300 + +Local variables: +mode: debian-changelog +End: --- tcpspy-1.7d.orig/debian/control +++ tcpspy-1.7d/debian/control @@ -0,0 +1,25 @@ +Source: tcpspy +Build-Depends: debhelper (>= 7), groff, bison, flex +Section: net +Priority: optional +Maintainer: Pablo Lorenzzoni +Standards-Version: 3.8.4 + +Package: tcpspy +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Incoming and Outgoing TCP/IP connections logger + tcpspy is an administrator's tool that logs information + about incoming and outgoing TCP/IP connections. It's + written in C and uses no libpcap functions, unlike tcpdump. + . + Connections are selected for logging with rules, similarly + to the filter expressions accepted by tcpdump. The + following information is logged: username, local address + and port, remote address and port, and, optionally, the + executable filename. + . + At present, only the IPv4 protocol is supported. + . + The current URL for this project is + http://the.wiretapped.net/security/network-monitoring/tcpspy/ --- tcpspy-1.7d.orig/debian/tcpspy.rules.5 +++ tcpspy-1.7d/debian/tcpspy.rules.5 @@ -0,0 +1,190 @@ +.\" This file is part of tcpspy Debian package, a TCP/IP connection monitor. +.\" In truth this is just an snipped version of tcpspy manpage, which is +.\" copyrighted by Tim J. Robbins under the same terms below. +.\" +.\" Copyright (c) 2001 Pablo Lorenzzoni. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $Id: tcpspy.rules.5,v 1.33 2001/01/28 13:09:12 fyre Exp $ +.TH TCPSPY.RULES 5 "April 2001" Spectra "tcpspy.rules" +.SH NAME +tcpspy.rules \- configuration file for tcpspy +.SH DESCRIPTION +.LP +This file, by default +.IR /etc/tcpspy.rules , +is read by the +.IR /etc/init.d/tcpspy +script at init time in order to configure +tcpspy (see tcpspy(8)) logger filtering rules. +.LP +It might look like: +.IP +.nf +# /etc/tcpspt.rules example +user "joedoe" and rport 22 and raddr 192.168.1.10 +user 1003 +lport 22 or lport 21 +(lport 23 and user "joedoe") or raddr 192.168.1.20 +.fi +.LP +This rules file specifies that tcpspy logs tcp connections according +to 4 rules (line 1 to line 4 - one per each line) using the boolean +logic (see below) to evaluate each rule. +.LP +This particular example logs conections: +.TP +line 1 - for user "joedoe" connecting to 192.168.1.10:22 (remote) +.TP +line 2 - for user whose UID is 1003 +.TP +line 3 - to localhost:22 or localhost:21 +.TP +line 4 - for user "joedoe" to localhost:23 or to 192.168.1.20 (remote) +.LP +Everything from an "#" signal and the end of the line will not be evaluated. +.LP +.PP +.SS "Rule Syntax - just extracted from tcpspy(8)" +A rule may be specified with the following comparison operators: +.TP +.BI user " uid" +True if the local user initiating or accepting the connection has the +.B effective +user id +.IR uid . +.TP +.BI user " \N'34'username\N'34'" +Same as above, but using a username instead of a user id. +.TP +.BI lport " port" +True if the local end of the connection has port number +.IR port . +.TP +.BI lport " [low] - [high]" +True if the local end of the connection has a port number +greater than or equal to +.I low +and less than or equal to +.IR high . +If the form +.I low- +is used, high is assumed to be 65535. +If the form +.I -high +is used, low is assumed to be 0. It is an error to omit both +.IR low " and " high . +.TP +.BI lport " \N'34'service\N'34'" +Same as above, but using a service name from +.I /etc/services +instead of a port number. +.TP +.B rport +Same as +.B lport +but compares the port number of the remote end of the connection. +.TP +.BI laddr " n.n.n.n[/m.m.m.m]" +Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise +AND of the local address of the connection and "mask". If no mask is specified, +a default mask with all bits set (255.255.255.255) is used. +.TP +.B raddr +Same as +.B laddr +but compares the remote address. +.TP +.BI exe " \N'34'pattern\N'34'" +True if the full filename (including directory) of the executable that +created/accepted the connection matches +.IR pattern , +a +.BR glob (7)-style +wildcard pattern. +.IP +The pattern "" (an empty string) matches connections created/accepted by +processes whose executable filename is unknown. +.IP +If the +.B -p +option is not specified, a warning message will be printed, and the result of +this comparison will always be true. +.PP +Expressions (including the comparisons listed above) may be joined together +with the following logical operations: +.TP +.IB expr1 " or " expr2 +True if either of +.I expr1 +or +.I expr2 +are true (logical OR). +.TP +.IB expr1 " and " expr2 +True if both +.I expr1 +and +.I expr2 +are true (logical AND). +.TP +.BI not " expr" +True if +.I expr +is false (logical NOT). +.PP +Rules are evaluated from left to right. Whitespace (space, tab and newline) +characters are ignored between "words". Rules consisting of only whitespace +match no connections, but do not cause an error. +Parentheses, '(' and ')' may be placed around expressions to affect the order +of evaluation. +.PP +.SS "Examples" +.TP +These are some sample rules which further demonstrate how they are constructed: +.TP +.nf +user "joe" and rport "ssh" +.fi +Log connections made by user "joe" for the service "ssh". + +.TP +.nf +not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe") +.fi +Log connections made by users "bob" and "joe" to remote port 25 on machines +not on a fictional "intranet". + +.SH AUTHOR +Tim J. Robbins (tcpspy), +Pablo Lorenzzoni (this manpage) + +.SH SEE ALSO +.BR glob (7), +.BR proc (5), +.BR services (5), +.BR signal (7), +.BR syslog (3), +.BR tcpspy (8) --- tcpspy-1.7d.orig/debian/tcpspy.init +++ tcpspy-1.7d/debian/tcpspy.init @@ -0,0 +1,53 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: tcpspy +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: init script for tcpspy +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/tcpspy +NAME=tcpspy +DESC=tcpspy +RULESFILE=/etc/tcpspy.rules +OPTIONSFILE=/etc/default/$NAME +OPTIONS="" + +test -f $DAEMON || exit 0 + +set -e + +[ -e $OPTIONSFILE ] && . $OPTIONSFILE + +case "$1" in + start) + echo -n "Starting $DESC: " + CMDLINE="start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $OPTIONS -f $RULESFILE" + eval "$CMDLINE" + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon --stop --quiet --oknodo --exec $DAEMON + echo "$NAME." + ;; + restart|force-reload) + echo -n "Restarting $DESC: " + start-stop-daemon --stop --quiet --oknodo --exec $DAEMON + sleep 1 + CMDLINE="start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $OPTIONS -f $RULESFILE" + eval "$CMDLINE" + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 + --- tcpspy-1.7d.orig/debian/tcpspy.8 +++ tcpspy-1.7d/debian/tcpspy.8 @@ -0,0 +1,265 @@ +.\" This file is part of tcpspy, a TCP/IP connection monitor. +.\" +.\" Copyright (c) 2000, 2001 Tim J. Robbins. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $Id: tcpspy.8,v 1.39 2001/05/20 11:52:12 tim Stab $ +.TH TCPSPY 8 "May 2001" TJR "tcpspy 1.7" +.SH NAME +tcpspy \- TCP/IP Connection Monitor +.SH SYNOPSIS +.B tcpspy +.RB [ "-dp" ] +.RB [ "-e" +.IR "rule" ]... +.RB [ "-f" +.IR "rulefile" ]... +.RB [ "-F" +.IR "facility" ] +.RB [ "-I" +.IR "interval" ] +.RB [ "-U" +.IR "user" ] +.RB [ "-G" +.IR "group" ] +.SH DESCRIPTION +.I tcpspy +logs information about selected incoming and outgoing TCP/IP connections to +syslog. The following information is logged: username, local address and port, +remote address, port, and optionally the filename of the executable. At +present, only the IPv4 protocol is supported. +.PP +.SS "Options" +.TP +.BI -e " 'rule'" +Log only connections matching the specified rule. Rule syntax is outlined +below. If this option is specified more than once, connections matching any +of the specified rules are logged. You should quote the rule, as shown above. +.TP +.BI -f " rulefile" +Read rules from +.IR rulefile . +Each rule is on a new line. The `#' character may be used to add comments; +everything from this character to the end of the line is ignored. + +The +.B -e +and +.B -f +options may be used together. +.TP +.BI -F " facility" +Log to syslog facility +.I facility +instead of the compile-time default setting. See the +.BR syslog.conf (5) +manual page for a list of facilities. +.TP +.BI -I " interval" +Update the internal state every +.I interval +milliseconds, instead of the default of 1000 ms. Connections that last less +than +.I interval +milliseconds may be missed, so you should experiment to find a value small +enough that it catches most connections, but not so small that it causes +tcpspy to use too much CPU time. +.TP +.BI -U " user" +Switch to the specified user after startup. +.I user +may be a numeric user id or a user name from the system password file. +.TP +.BI -G " group" +Switch to the specified group after startup. +.I group +may be a numeric group id or a group name from the system group file. +If a username to switch to with the +.B -U +option is specified but +.B -G +is omitted, tcpspy will switch to that specified user's primary group. +.TP +.B -d +Debugging mode; if this option is specified, tcpspy will not detach from the +console after initialisation, and will log connections to standard output +instead of syslog. +.TP +.B -p +Log the filename of the executable that created/accepted the connection. +You may require superuser privileges to obtain this information for processes +you do not own (this is a kernel limitation). + +This option can greatly increase the amount of CPU time required to +process each connection/disconnection. + +.PP +.SS "Rule Syntax" +A rule may be specified with the +.B -e +option to log information about connections matching this rule, overriding +the default of logging all connections. +.PP +The following comparison operations are defined: +.TP +.BI user " uid" +True if the local user initiating or accepting the connection has the +.B effective +user id +.IR uid . +.TP +.BI user " \N'34'username\N'34'" +Same as above, but using a username instead of a user id. +.TP +.BI lport " port" +True if the local end of the connection has port number +.IR port . +.TP +.BI lport " [low] - [high]" +True if the local end of the connection has a port number +greater than or equal to +.I low +and less than or equal to +.IR high . +If the form +.I low- +is used, high is assumed to be 65535. +If the form +.I -high +is used, low is assumed to be 0. It is an error to omit both +.IR low " and " high . +.TP +.BI lport " \N'34'service\N'34'" +Same as above, but using a service name from +.I /etc/services +instead of a port number. +.TP +.B rport +Same as +.B lport +but compares the port number of the remote end of the connection. +.TP +.BI laddr " n.n.n.n[/m.m.m.m]" +Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise +AND of the local address of the connection and "mask". If no mask is specified, +a default mask with all bits set (255.255.255.255) is used. +.TP +.B raddr +Same as +.B laddr +but compares the remote address. +.TP +.BI exe " \N'34'pattern\N'34'" +True if the full filename (including directory) of the executable that +created/accepted the connection matches +.IR pattern , +a +.BR glob (7)-style +wildcard pattern. + +The pattern "" (an empty string) matches connections created/accepted by +processes whose executable filename is unknown. + +If the +.B -p +option is not specified, a warning message will be printed, and the result of +this comparison will always be true. +.PP +Expressions (including the comparisons listed above) may be joined together +with the following logical operations: +.TP +.IB expr1 " or " expr2 +True if either of +.I expr1 +or +.I expr2 +are true (logical OR). +.TP +.IB expr1 " and " expr2 +True if both +.I expr1 +and +.I expr2 +are true (logical AND). +.TP +.BI not " expr" +True if +.I expr +is false (logical NOT). +.PP +Rules are evaluated from left to right. Whitespace (space, tab and newline) +characters are ignored between "words". Rules consisting of only whitespace +match no connections, but do not cause an error. +Parentheses, '(' and ')' may be placed around expressions to affect the order +of evaluation. +.PP +The Examples section contains some sample rules which further demonstrate how +they are constructed. + +.SH "EXIT STATUS" +.TP +0 +The daemon was successfully started +.TP +>0 +An error occurred + +.SH SIGNALS +.TP +.I TERM +Shut down at most +.I interval +milliseconds from now. +.TP +.I INT +(Debugging mode only) Handled identically to +.IR TERM . +.PP +All other signals retain their default behaviour, which is documented in +.BR signal (7). + +.SH EXAMPLES +.TP +tcpspy -e 'user "joe" and rport "ssh"' +Log connections made by user "joe" for the service "ssh". +.TP +tcpspy -e 'not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")' +Log connections made by users "bob" and "joe" to remote port 25 on machines +not on a fictional "intranet". +.TP +tcpspy -e 'exe "/usr/bin/irc"' +Log connections made by /usr/bin/irc (probably ircII). + +.SH AUTHOR +Tim J. Robbins + +.SH SEE ALSO +.BR glob (7), +.BR proc (5), +.BR services (5), +.BR signal (7), +.BR syslog (3), +.BR syslog.conf (5), +.BR tcpspy.rules (5) --- tcpspy-1.7d.orig/debian/rules +++ tcpspy-1.7d/debian/rules @@ -0,0 +1,54 @@ +#!/usr/bin/make -f +# tcpspy's debian/rules +# by Pablo Lorenzzoni + +build: build-stamp +build-stamp: + dh_testdir + + $(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + [ ! -f Makefile ] || $(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + $(MAKE) prefix=`pwd`/debian/`dh_listpackages`/ install + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installinit + dh_installman + dh_installchangelogs + dh_link + dh_strip + dh_compress + dh_fixperms + + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- tcpspy-1.7d.orig/debian/source/format +++ tcpspy-1.7d/debian/source/format @@ -0,0 +1 @@ +1.0