Comment 2 for bug 1303338

Found the problem and work around

n the 2.9.3 version of Snort several output formats have been deprecated, including Prelude support. However, it remains possible to keep Snort as a Prelude agent through the use of Barnyard2, an open source interpreter for Snort unified2 binary output files.

After a standard install of Snort, get the sources of Barnyard2 from http://www.securixlive.com/barnyard2/download.php

The enable-prelude option was transferred to Barnyard2:

   $ ./configure --enable-prelude
   $ make
   $ make install

Then edit /etc/snort/barnyard2.conf with the following:

output alert_prelude: profile=snort

Finally edit /etc/snort/snort.conf to add unified2 output:

# unified2
output unified2: filename merged.log, limit 128

If you previously registered your sensor, you should be able to start Snort and Barnyard2 by using:

$ snort -c /etc/snort/snort.conf -i eth1
$ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -a /var/log/snort/archived

(assuming you have created a /var/log/snort/archived directory to store your archived unified2 logs)