This is NEC USA NWSL (previously CSTC) version 1.0 of Socks5cop,
a program to raise alarm when socks5's proxy activities meet
user-specified conditions.

This directory contains:

socks5cop	 -- the executable program
scparser	 -- the executable program that parses the input file,
	   	   called by socks5cop.
socks5cop.8	 -- the man page for socks5cop 
socks5cop.conf.5 -- the man page for the socks5cop configuration
socks5cop.sample -- a sample configuration file
Copyright	 -- the copyright and use notice

To check whether the program raises alarm correctly, use an alarm
without significant consequences. For instance, if you are interested
in whether FAIL[usr] in the last 300 seconds is correctly computed,
add an additional alarm as follows to the configuration file:

		alert_time=300
		WHEN (usr==*) EXEC
		  echo usr FAIL[usr]
		END

Then invoke the program with the -tl options, which stand for tracing
operations in the file "/tmp/socks5cop.log" and not logging actions in
the syslog:
		socskcop -tl
If the -f option is added, the trace will be displayed on the screen.

When the trace flag is on, the program will print the following data 
for each record read from the connection table maintained by Socks5watcher:

- time since 00:00:00 GMT, Jan. 1, 1970, measured in seconds.
- user name.
- dotted ip address of the source.
- dotted ip address of the destination.
- destination port and protocol of the application.
- error: 0 means no error, >0 means a denied connection request.
- incoming bytes so far.
- outgoing bytes so far.
- total bytes: incoming + outgoing
- pid: process number of the socks server which proxies the connection.
- connection duration so far.
- id: a sequence number increased by one for every new connection.
- read: last time the record was read by Socks5cop. 0 means new entry.


For more information, see http://www.socks.nec.com/. Also, a mailing
list, socks5@syl.dl.nec.com, is created for discussing problems,
suggestions, etc. To subscribe, send mail to "majordomo@syl.dl.nec.com"
with no subject, and a body which reads "subscribe socks5". For
people who just want to submit bugs, or send mail which will not be
distributed to a mailing list, you can send mail to 
		socks5-bugs@syl.dl.nec.com

When submitting bug reports, it is probably a good idea to turn on
tracing beforehand. Again, this can be done using the -t flag.  It
helps us track down exactly what's going on much much better.


Good luck and we look forward to your feedback.

NEC USA, Networking Systems Lab.
