The Snort Drinking Game

This drinking game was originally invented by Erek Adams.  Unfortunately Erek Adams passed away in October of 2007.  So in order for the drinking game to live on and stay current I have posted it here and revised it.

Welcome to the Snort-Users Drinking Game!

version 1.2

By Erek Adams, revised by Joel Esler and members of the Snort community.  Please send suggestions to eslerj@gmail.com

-----

WARNING: Excessive use of alcohol can be dangerous to your health. Please play this game sensibly. If you start to feel ill or sick, stop playing! Alcohol poisoning is not fun, and you can kill yourself!  Please be sensible! This is for _fun_ only!!

And if you don't like alcohol, please use your beverage of choice!


-----

Instructions: Don't read your Snort-users email for a month. Or failing that, you could use the archives. Start with the first email message for the month. Read it. If an item from the following lists is in the email, take the penalty drink. If not, go onto the next message. Repeat until you can't read anymore, or have a empty bottle. ;-)

Please note: These are cumulative! Be careful, as you could have SIX+ drinks from one email!



Take one drink if.....


  • The question is answered in the documentation.
  • The question is answered in the FAQ.
  • The writer doesn't know how use Google.
  • The reply is "RTFM"
  • The reply is "It's in the FAQ"
  • Writer is using Red Hat's broken pcap.
  • "Why aren't portscans showing up in ACID?"
  • "Why is Snort not reporting dropped packets the right way on Linux?"
  • Marty complains about Red Hat's brokeness.
  • Writer is using "Linux 8" or "Linux 9".
  • Writer has a .sig over 4 lines.
  • Writer posts a packet capture with the IP's XXX'ed out, but still leaves them in the hex decode below.
  • The drinking game starts it's own thread.
  • The question is about ACID
  • Joel tells someone that ACID is dead and they should use BASE
  • The mail is an Out Of Office message
  • Shirkdog rips into someone for sending an Out of Office
  • Someone gets offended by a Shirkdog flame
  • If Joel suggests that someone upgrade to the latest version of Snort


Take two drinks if.....
  • Writer obviously has _never_ read any docs.
  • Student from some obscure foreign version of ITT Technical Institute asking the list to do their homework for them
  • Writer obviously doesn't know how to compile.
  • "How can I auto update the rules?"
  • Writer asks "Where is signature XX?" and that's already in the rules.
  • Writer says "It's broken." and includes _nothing useful_ about the setup.
  • Writer says “It’s broken.” and calls Snort ‘crap’
  • Someone reply's to a digest mode email, and includes the whole digest.
  • A virus scanner kicks email back to the list.
  • Writers .sig contains a "The contents of this email.." style discalimer.
  • Post contains a "Stupid Management Tricks" story.
  • Message says "Please unsubscribe me from this list."
  • Message is _entirely_ blank.
  • Confirmation/signup email gets sent to the entire list.
  • Someone posts a non RFC-1918 IP and remarks that "it's not being used by anyone."
  • Someone replys to a message and has more 'header cruft' in their message than content--Thank you Lotus Notes....
  • You post a message to the list and get a "I am out of the office message...."
  • If you realize that _YOU_ were the reason another penalty drink was added to the Drinking Game.
  • You hit "Reply to All" instead of "Reply" and you start you response with the words "Hey Sexy!"
  • Writer says "I've searched Google and can't find the answer." and the answer is in the first 10 results.
  • Writer is planning on creating their own IPS engine made of "magic"
  • Writer wants to implement Snort in hardware
  • Writer wants to know if these “accelerator cards work” with Snort
  • Writer isn't using unified logs / barnyard
  • Writer wonders why barnyard fails to process a non-unified log file.
  • Writer has connected to a non-SPAN switch port
  • Writer has not set ANY variables.
  • Writer is using the CURRENT rulset, with non current release
  • Write wants to know what “CURRENT” means
  • The Sig has that “legal” disclaimer in it.
  • Someone asks why they are not seeing alerts for traffic they are generating on the snort sensor itself and somone@sourcefire suggests they use -k none to fix it.
  • Someone writes an email to the list asking how to use Snort in their Master's Thesis with a sentence like:"I want to create a project based off of Snort, where do I start?"
  • Someone writes an email to the list asking about Oinkmaster, and someone suggests PulledPork as a replacement.


Take three drinks if.....
  • The message has "Whitehats.com is down" or "Where's another Whitehats?"
  • The message has “Where are the Bleeding-Snort rules”?
  • Someone wants the file vision18.conf.gz.
  • "Can Snort email me alerts?"
  • "Can Snort page me with alerts?"
  • Writer is using an old version (non-current release) of Snort.
  • Writer becomes offended at "Kickass P0rn."
  • Writer becomes offended at comments in source code.
  • Writer isn't even sure what Snort does.
  • Writer starts an OS Holy War.
  • Someone posts in HTML-ized email.
  • Posters .sig or disclaimer is longer than the reply.
  • Writer has no clue that http://www.Snort.org/ exists.
  • Someone has to correct your drink totals for a penalty.
  • Someone posts their IP asking for a portscan.
  • Writer obviously thinks that Red Hat == Linux.
  • Writer places the question and or email in the subject and leaves the body of the email blank.
  • You post more than one message to the list and get back a "I am out of the office..." message for _each_ post you made.
  • You have a broken vacation message that responds to the each post made to a mailing list.
  • You realize that you just posted a "Hey Sexy!" response to a worldwide mailing list.... From your _work_ email address.
  • Writer has made their own Snort rule(s), and Snort's "Broken" because they don't fire as they expect.
  • Writer complains about a F+ but provides NO usable information
  • Snort only alerts on packets to/from my IP address?
  • Snort only alerts on UDP packets?
  • Writer complains about the lack of documentation, but as somehow missed the /docs directory, the Snort users manual, the forums, hardback and paperback books in all good book shops, FAQ's, the notes in the snort.conf file, and installation guides.
  • Someone asks or states that SnortSP (Snort 3.0) is not open source anymore.


And the Big Penalty Drink:
  • If you realize you are drinking to your own post, DOUBLE the penalty.

No comments: