Skip to main content

Snort Drinking Game by Erek Adams

Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.

So, in honor of him:

Welcome to the Snort-Users Drinking Game!
version 1.00
By Erek Adams
The most current version of this can be found at . Please send
suggestions/updates to

WARNING: Excessive use of alcohol can be dangerous to your health. Please
play this game sensibly. If you start to feel ill or sick, stop playing!
Alcohol poisioning is not fun, and you can kill yourself!

Please be sensible! This is for _fun_ only!!

And if you don't like alcohol, please use your beverage of choice!

Instructions: Don't read your snort-users email for a month. Or failing
that, you could use the archives. Start with the first email message for the
month. Read it. If an item from the following lists is in the email, take
the penalty drink. If not, go onto the next message. Repeat until you can't
read anymore, or have a empty bottle. ;-)

Please note: These are culmative! Be careful, as you could have SIX+ drinks
from one email!

Lets Begin!!

Take one drink if.....

The question is answered in the documentation.
The question is answered in the FAQ.
The writer doesn't know how use Google.
The reply is "RTFM"
The reply is "It's in the FAQ"
Writer is using Red Hat's broken pcap.
"Why aren't portscans showing up in ACID?"
"Why is snort not reporting dropped packets the right way on Linux?"
Marty complains about Red Hat's brokeness.
Writer is using "Linux 8" or "Linux 9".
Writer has a .sig over 4 lines.
Writer posts a packet capture with the IP's XXX'ed out, but still leaves
them in the hex decode below.
The drinking game starts it's own thread.

Take two drinks if.....

Writer obviously has _never_ read any docs.
Writer obviously doesn't know how to compile.
"How can I auto update the rules?"
Writer asks "Where is signature XX?" and that's already in the rules.
Writer says "It's broken." and includes _nothing useful_ about the
Someone reply's to a digest mode email, and includes the whole digest.
A virus scanner kicks email back to the list.
Writers .sig contains a "The contents of this email.." style discalimer.
Post contains a "Stupid Management Tricks" story.
Message says "Please unsubscribe me from this list."
Message is _entirely_ blank.
Confirmation/signup email gets sent to the entire list.
Someone posts a non RFC-1918 IP and remarks that "it's not being used
by anyone."
Someone replys to a message and has more 'header cruft' in thier message
than content--Thank you Lotus Notes....
You post a message to the list and get a "I am out of the office
If you realize that _YOU_ were the reason another penalty drink was
added to the Drinking Game.
You hit "Reply to All" instead of "Reply" and you start you response
with the words "Hey Sexy!"
Writer says "I've searched Google and can't find the answer." and the
answer is in the first 10 results.

Take three drinks if.....

The message has " is down" or "Where's another
Someone wants the file vision18.conf.gz.
"Can snort email me alerts?"
"Can snort page me with alerts?"
Writer is using an old version (non-current release) of snort.
Writer becomes offended at "Kickass P0rn."
Writer becomes offended at comments in source code.
Writer isn't even sure what snort does.
Writer starts an OS Holy War.
Someone posts in HTML-ized email.
Posters .sig or disclaimer is longer than the reply.
Writer has no clue that exists.
Someone has to correct your drink totals for a penalty.
Someone posts thier IP asking for a portscan.
Writer obviously thinks that Red Hat == Linux.
Writer places the question and or email in the subject and leaves the
body of the email blank.
You move your mailserver from coast to coast w/o a temp box setup and
your bounces get you unsubscribed from the snort-users list. *sigh*
You post more than one message to the list and get back a "I am out of
the office..." message for _each_ post you made.
You have a broken vacation message that responds to the each post made
to a mailing list.
You realize that you just posted a "Hey Sexy!" response to a worldwide
mailing list.... From your _work_ email address.

And the Big Penalty Drink:

If you realize you are drinking to your own post, DOUBLE the penalty.
IOW, if you posted a HMTL-ized email, take six (yes, 6) drinks.


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button