Hello, 

I'm experiencing an anomaly with SGUIL 8's snort_agent, barnyard2 and snort-2.9.5.6 setup.  This is a fresh build and all the other agents are reporting to the manager except the snort_agent is not passing any alerts.  I suspect it's my snort/barnyard2 configuration, however I've verified that snort_agent is passing the snort.stats data and barnyard is connected to it.  Snort is alerting on rules but barnyard is not seeing anything to pass to the snort_agent.  Thus I really think it's my snort/barnyard configuration that is not working.  Below is what I'm seeing when debugging.  

My snort_agent is reporting to the manager but only sending snort.stat information and PING/PONGS

##############################
 /etc/sguil-0.8.0/sensor/snort_agent.tcl -c /etc/sguil-0.8.0/sensor/snort_agent.conf
Connected to x.x.x.x  <--redacted IP
Sending sguild (sock3) RegisterAgent snort cerberus cerberus
Listening on port 7735 for barnyard connections.
Sending sguild (sock3) PING
Error: Invalid snort stats line: #time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,new_sessions_per_second,deleted_sessions_per_second,total_sessions,max_sessions,stream_flushes_per_second,stream_faults,stream_timeouts,frag_creates_per_second,frag_completes_per_second,frag_inserts_per_second,frag_deletes_per_second,frag_autofrees_per_second,frag_flushes_per_second,current_frags,max_frags,frag_timeouts,frag_faults,iCPUs,usr[0],sys[0],idle[0],wire_mbits_per_sec.realtime,ipfrag_mbits_per_sec.realtime,ipreass_mbits_per_sec.realtime,rebuilt_mbits_per_sec.realtime,mbits_per_sec.realtime,avg_bytes_per_wire_packet,avg_bytes_per_ipfrag_packet,avg_bytes_per_ipreass_packet,avg_bytes_per_rebuilt_packet,avg_bytes_per_packet,kpackets_wire_per_sec.realtime,kpackets_ipfrag_per_sec.realtime,kpackets_ipreass_per_sec.realtime,kpackets_rebuilt_per_sec.realtime,kpackets_per_sec.realtime,pkt_stats.pkts_recv,pkt_stats.pkts_drop,total_blocked_packets,new_udp_sessions_per_second,deleted_udp_sessions_per_second,total_udp_sessions,max_udp_sessions,max_tcp_sessions_interval,curr_tcp_sessions_initializing,curr_tcp_sessions_established,curr_tcp_sessions_closing,tcp_sessions_midstream_per_second,tcp_sessions_closed_per_second,tcp_sessions_timedout_per_second,tcp_sessions_pruned_per_second,tcp_sessions_dropped_async_per_second,current_attribute_hosts,attribute_table_reloads,mpls_mbits_per_sec.realtime,avg_bytes_per_mpls_packet,kpackets_per_sec_mpls.realtime,total_tcp_filtered_packets,total_udp_filtered_packets,ip4::trim,ip4::tos,ip4::df,ip4::rf,ip4::ttl,ip4::opts,icmp4::echo,ip6::ttl,ip6::opts,icmp6::echo,tcp::syn_opt,tcp::opt,tcp::pad,tcp::rsv,tcp::ns,tcp::urg,tcp::urp,tcp::trim,tcp::ecn_pkt,tcp::ecn_ssn,tcp::ts_ecr,tcp::ts_nop,tcp::ips_data,tcp::block,total_injected_packets,frag3_mem_in_use,stream5_mem_in_use,total_alerts_per_second
Sensor Data Rcvd: AgentInfo cerberus snort cerberus 4 0
Sensor Data Rcvd: PONG
PONG received
barnyard connected: sock6 127.0.0.1 58789
Sending sguild (sock3) AgentLastCidReq sock6 4
Sensor Data Rcvd: LastCidResults sock6 0
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
#############################################################

Here is the output from barnyard.  Notice it does not create the waldo file.  I assume it's because it's not reading any input.  

#############################################################
]# /usr/local/bin/barnyard2 -u sguil -g sguil -c /etc/sguil/barnyard2.conf -d /var/log/snort-cerberus/ -f snort.log -w /var/log/snort-cerberus/by2.waldo -l /var/log/snort-cerberus/ -a /var/log/snort-cerberus/OLD/ -v

Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/sguil/barnyard2.conf"
Log directory = /var/log/snort-cerberus/
No arguments to alert_syslog preprocessor!
Node unique name is: cerberus:eth1

sguil:  sensor name = cerberus:eth1
sguil:  agent port =  7735
sguil:  Connected to localhost on 7735.
sguil: Waiting for sid and cid from sensor_agent.
sguil: sending "SidCidRequest cerberus:eth1
"sguil: received "SidCidResponse 4 0
"sguil: sensor ID = 4
sguil: last cid = 0

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Unable to open waldo file '/var/log/snort-cerberus/by2.waldo' (No such file or directory)
Opened spool file '/var/log/snort-cerberus//snort.log.1386856834'
Waiting for new data

####################################################

I've manually ran the SNORT test function and it tested successfully with my snort.conf file.  Yes, I do have the "output unified2: filename snort.log, limit 128 within my snort.conf.  

I've even enabled the output module for syslog and log_tcpdump.  Which In my syslog I do see the alerts being generated but do not see them in the tcpdump.log that is created. 

Here is what I used to demonize snort.

SNORT_LOG=/var/log/snort-$HOSTNAME

snort  -u sguil -g sguil -m 122 -l $SNORTLOG -c /etc/snort/snort.conf -i $IFACE -A full -U --pid-path $PIDDIR  -D


########################################################
...
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Reload thread starting...
Reload thread started, thread 0x7f00ba345700 (9380)
Decoding Ethernet
Checking PID path...
Previous Error, errno=2, (No such file or directory)
PID path stat checked out ok, PID path set to /var/run/
Writing PID "9371" to file "/var/run//snort_eth1.pid"
Set gid to 500
Set uid to 400

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
Commencing packet processing (pid=9371)

#######################################################

Does anyone have any suggestions on what maybe wrong?

Thanks
Leo