Found the problem and work around n the 2.9.3 version of Snort several output formats have been deprecated, including Prelude support. However, it remains possible to keep Snort as a Prelude agent through the use of Barnyard2, an open source interpreter for Snort unified2 binary output files.
After a standard install of Snort, get the sources of Barnyard2 from http://www.securixlive.com/barnyard2/download.php The enable-prelude option was transferred to Barnyard2: $ ./configure --enable-prelude $ make $ make install Then edit /etc/snort/barnyard2.conf with the following: output alert_prelude: profile=snort Finally edit /etc/snort/snort.conf to add unified2 output: # unified2 output unified2: filename merged.log, limit 128 If you previously registered your sensor, you should be able to start Snort and Barnyard2 by using: $ snort -c /etc/snort/snort.conf -i eth1 $ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -a /var/log/snort/archived (assuming you have created a /var/log/snort/archived directory to store your archived unified2 logs) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1303338 Title: Trusty, Snort doesn't work with prelude To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1303338/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
