Skip to main content

The Snort Drinking Game

This drinking game was originally invented by Erek Adams.  Unfortunately Erek Adams passed away in October of 2007.  So in order for the drinking game to live on and stay current I have posted it here and revised it.

Welcome to the Snort-Users Drinking Game!

version 1.2

By Erek Adams, revised by Joel Esler and members of the Snort community.  Please send suggestions to


WARNING: Excessive use of alcohol can be dangerous to your health. Please play this game sensibly. If you start to feel ill or sick, stop playing! Alcohol poisoning is not fun, and you can kill yourself!  Please be sensible! This is for _fun_ only!!

And if you don't like alcohol, please use your beverage of choice!


Instructions: Don't read your Snort-users email for a month. Or failing that, you could use the archives. Start with the first email message for the month. Read it. If an item from the following lists is in the email, take the penalty drink. If not, go onto the next message. Repeat until you can't read anymore, or have a empty bottle. ;-)

Please note: These are cumulative! Be careful, as you could have SIX+ drinks from one email!

Take one drink if.....

  • The question is answered in the documentation.
  • The question is answered in the FAQ.
  • The writer doesn't know how use Google.
  • The reply is "RTFM"
  • The reply is "It's in the FAQ"
  • Writer is using Red Hat's broken pcap.
  • "Why aren't portscans showing up in ACID?"
  • "Why is Snort not reporting dropped packets the right way on Linux?"
  • Marty complains about Red Hat's brokeness.
  • Writer is using "Linux 8" or "Linux 9".
  • Writer has a .sig over 4 lines.
  • Writer posts a packet capture with the IP's XXX'ed out, but still leaves them in the hex decode below.
  • The drinking game starts it's own thread.
  • The question is about ACID
  • Joel tells someone that ACID is dead and they should use BASE
  • The mail is an Out Of Office message
  • Shirkdog rips into someone for sending an Out of Office
  • Someone gets offended by a Shirkdog flame
  • If Joel suggests that someone upgrade to the latest version of Snort

Take two drinks if.....
  • Writer obviously has _never_ read any docs.
  • Student from some obscure foreign version of ITT Technical Institute asking the list to do their homework for them
  • Writer obviously doesn't know how to compile.
  • "How can I auto update the rules?"
  • Writer asks "Where is signature XX?" and that's already in the rules.
  • Writer says "It's broken." and includes _nothing useful_ about the setup.
  • Writer says “It’s broken.” and calls Snort ‘crap’
  • Someone reply's to a digest mode email, and includes the whole digest.
  • A virus scanner kicks email back to the list.
  • Writers .sig contains a "The contents of this email.." style discalimer.
  • Post contains a "Stupid Management Tricks" story.
  • Message says "Please unsubscribe me from this list."
  • Message is _entirely_ blank.
  • Confirmation/signup email gets sent to the entire list.
  • Someone posts a non RFC-1918 IP and remarks that "it's not being used by anyone."
  • Someone replys to a message and has more 'header cruft' in their message than content--Thank you Lotus Notes....
  • You post a message to the list and get a "I am out of the office message...."
  • If you realize that _YOU_ were the reason another penalty drink was added to the Drinking Game.
  • You hit "Reply to All" instead of "Reply" and you start you response with the words "Hey Sexy!"
  • Writer says "I've searched Google and can't find the answer." and the answer is in the first 10 results.
  • Writer is planning on creating their own IPS engine made of "magic"
  • Writer wants to implement Snort in hardware
  • Writer wants to know if these “accelerator cards work” with Snort
  • Writer isn't using unified logs / barnyard
  • Writer wonders why barnyard fails to process a non-unified log file.
  • Writer has connected to a non-SPAN switch port
  • Writer has not set ANY variables.
  • Writer is using the CURRENT rulset, with non current release
  • Write wants to know what “CURRENT” means
  • The Sig has that “legal” disclaimer in it.
  • Someone asks why they are not seeing alerts for traffic they are generating on the snort sensor itself and somone@sourcefire suggests they use -k none to fix it.
  • Someone writes an email to the list asking how to use Snort in their Master's Thesis with a sentence like:"I want to create a project based off of Snort, where do I start?"
  • Someone writes an email to the list asking about Oinkmaster, and someone suggests PulledPork as a replacement.

Take three drinks if.....
  • The message has " is down" or "Where's another Whitehats?"
  • The message has “Where are the Bleeding-Snort rules”?
  • Someone wants the file vision18.conf.gz.
  • "Can Snort email me alerts?"
  • "Can Snort page me with alerts?"
  • Writer is using an old version (non-current release) of Snort.
  • Writer becomes offended at "Kickass P0rn."
  • Writer becomes offended at comments in source code.
  • Writer isn't even sure what Snort does.
  • Writer starts an OS Holy War.
  • Someone posts in HTML-ized email.
  • Posters .sig or disclaimer is longer than the reply.
  • Writer has no clue that exists.
  • Someone has to correct your drink totals for a penalty.
  • Someone posts their IP asking for a portscan.
  • Writer obviously thinks that Red Hat == Linux.
  • Writer places the question and or email in the subject and leaves the body of the email blank.
  • You post more than one message to the list and get back a "I am out of the office..." message for _each_ post you made.
  • You have a broken vacation message that responds to the each post made to a mailing list.
  • You realize that you just posted a "Hey Sexy!" response to a worldwide mailing list.... From your _work_ email address.
  • Writer has made their own Snort rule(s), and Snort's "Broken" because they don't fire as they expect.
  • Writer complains about a F+ but provides NO usable information
  • Snort only alerts on packets to/from my IP address?
  • Snort only alerts on UDP packets?
  • Writer complains about the lack of documentation, but as somehow missed the /docs directory, the Snort users manual, the forums, hardback and paperback books in all good book shops, FAQ's, the notes in the snort.conf file, and installation guides.
  • Someone asks or states that SnortSP (Snort 3.0) is not open source anymore.

And the Big Penalty Drink:
  • If you realize you are drinking to your own post, DOUBLE the penalty.


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button