Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.
So, in honor of him:
Welcome to the Snort-Users Drinking Game!
By Erek Adams
The most current version of this can be found at
http://www.theadamsfamily.net/~erek/snort/drinking_game.txt . Please send
suggestions/updates to firstname.lastname@example.org.
WARNING: Excessive use of alcohol can be dangerous to your health. Please
play this game sensibly. If you start to feel ill or sick, stop playing!
Alcohol poisioning is not fun, and you can kill yourself!
Please be sensible! This is for _fun_ only!!
And if you don't like alcohol, please use your beverage of choice!
Instructions: Don't read your snort-users email for a month. Or failing
that, you could use the archives. Start with the first email message for the
month. Read it. If an item from the following lists is in the email, take
the penalty drink. If not, go onto the next message. Repeat until you can't
read anymore, or have a empty bottle. ;-)
Please note: These are culmative! Be careful, as you could have SIX+ drinks
from one email!
Take one drink if.....
The question is answered in the documentation.
The question is answered in the FAQ.
The writer doesn't know how use Google.
The reply is "RTFM"
The reply is "It's in the FAQ"
Writer is using Red Hat's broken pcap.
"Why aren't portscans showing up in ACID?"
"Why is snort not reporting dropped packets the right way on Linux?"
Marty complains about Red Hat's brokeness.
Writer is using "Linux 8" or "Linux 9".
Writer has a .sig over 4 lines.
Writer posts a packet capture with the IP's XXX'ed out, but still leaves
them in the hex decode below.
The drinking game starts it's own thread.
Take two drinks if.....
Writer obviously has _never_ read any docs.
Writer obviously doesn't know how to compile.
"How can I auto update the rules?"
Writer asks "Where is signature XX?" and that's already in the rules.
Writer says "It's broken." and includes _nothing useful_ about the
Someone reply's to a digest mode email, and includes the whole digest.
A virus scanner kicks email back to the list.
Writers .sig contains a "The contents of this email.." style discalimer.
Post contains a "Stupid Management Tricks" story.
Message says "Please unsubscribe me from this list."
Message is _entirely_ blank.
Confirmation/signup email gets sent to the entire list.
Someone posts a non RFC-1918 IP and remarks that "it's not being used
Someone replys to a message and has more 'header cruft' in thier message
than content--Thank you Lotus Notes....
You post a message to the list and get a "I am out of the office
If you realize that _YOU_ were the reason another penalty drink was
added to the Drinking Game.
You hit "Reply to All" instead of "Reply" and you start you response
with the words "Hey Sexy!"
Writer says "I've searched Google and can't find the answer." and the
answer is in the first 10 results.
Take three drinks if.....
The message has "Whitehats.com is down" or "Where's another
Someone wants the file vision18.conf.gz.
"Can snort email me alerts?"
"Can snort page me with alerts?"
Writer is using an old version (non-current release) of snort.
Writer becomes offended at "Kickass P0rn."
Writer becomes offended at comments in source code.
Writer isn't even sure what snort does.
Writer starts an OS Holy War.
Someone posts in HTML-ized email.
Posters .sig or disclaimer is longer than the reply.
Writer has no clue that http://www.snort.org/ exists.
Someone has to correct your drink totals for a penalty.
Someone posts thier IP asking for a portscan.
Writer obviously thinks that Red Hat == Linux.
Writer places the question and or email in the subject and leaves the
body of the email blank.
You move your mailserver from coast to coast w/o a temp box setup and
your bounces get you unsubscribed from the snort-users list. *sigh*
You post more than one message to the list and get back a "I am out of
the office..." message for _each_ post you made.
You have a broken vacation message that responds to the each post made
to a mailing list.
You realize that you just posted a "Hey Sexy!" response to a worldwide
mailing list.... From your _work_ email address.
And the Big Penalty Drink:
If you realize you are drinking to your own post, DOUBLE the penalty.
IOW, if you posted a HMTL-ized email, take six (yes, 6) drinks.
Over the past several years my job here at Cisco Talos has changed drastically. I took on new roles, which is awesome and exciting, but in ...
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
1. I don't feel like I have much to say. I do a tremendous amount of writing and blogging on the Snort, ClamAV, and Talos blogs. So...