I am on FC 26. I think that I could get snort running with the VPNfilter rules and have it between my cable modem and router (which is end of lifed / no more support)? I think I'd need a second nic (unless it's a two port on the motherboard) to the router on the FC box.

If I understand, I think you're asking if you need two NICs in your PC to use it as a filter between your cable modem and your router. Right? Maybe like this:
That should work, though it's dangerous because your PC is exposed to attacks from the internet without the router's protection.

Alternately, I think you can use the brctl command in the bridge-utils package two declare two networks on one NIC, one assigned by your provider and a local network like 192.168.1.0/24. Then, even though everything would be connected on one physical network, it would virtually be two networks. I've done that before, though I can't recall the details off hand.

This is also dangerous, because now you're using your PC as a router, so it will bear the brunt of attacks from the internet instead of the router.

Also, you'll have to configure the hardware router to ignore the provider's IP address. It might be easier to ditch the router and use a switch.