Issue with Snort Barnyard2 and Bro integration

jrcalvert

I am struggling to get Snort logs to Bro via Barnyard.
I have configured as below so far:

On the Bro server:

• in bro/site/local.bro I have set: @load policy/integration/barnyard2
• broctl deploy
• cat bro/logs/current/loaded_scripts.log I can see that barnyard scripts are loaded

On pfSense

• Snort package, Snort Interfaces, edit interface settings, barnyard2 tab
  • enable barnyard2, enable Bro-IDS, set remote host and port = 47760 (also tried 47761 for bro in cluster mode), Save
  • restart Snort for the interface. Snort restarts, but barnyard fails.
    In system logs:
    Jul 24 15:24:38 barnyard2 398 FATAL ERROR: failed! Could not connect to Bro!
    Jul 24 15:24:27 barnyard2 398 alert_bro Connecting to Bro (192.168.x.x:47761)...

On bro server during restart of snort/barnyard, checking broker.log file it looks like connection from pfsense disconnects the Bro workers that are listening to mirror interfaces.

I have seen various references to adding the following to local.bro, but these don't seem compatible with my version:
@load frameworks/communication/listen

redef Communication::nodes += {
["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F]
};

I am running pfsense 2.4.3 release p1 (amd64), Snort version 3.2.9.6_1, and Bro version 2.5-749 (on ubuntu 16.04.4 LTS).

Thanks