Read daq/README Read snort/doc/README.daq The above will give you an understanding of what we're trying to do. In this writeup I'll be covering nfq on Linux (Slackware x_64 and Ubuntu) Install the libraries. Packaged based distros will need to install the -dev of these as well. Slackware x_64 users can use ./configure --prefix=/usr --libdir=/usr/lib64 for configuring: libmnl libnfnetlink libnetfilter_queue Now recomplile and install libdnet Now recompile and install daq. Regardless of distro, recompiling libdnet AFTER installing the new libmnl, libnfnetlink, and libnetfilter_queue packages above is the secret to getting snort to see nfq. Daq ./configure should show you: Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Lastly recompile and install snort. The command "snort --daq-list" should show: Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv afpacket(v5): live inline multi unpriv Now you're ready to start snort (change interface and location of snort.conf to match your environment). sudo snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf Now you create the queue. Snort MUST be started BEFORE you create the queue. Examples below: sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1 Packets entering the queue that Snort is using, if not dropped by Snort after triggering a signature, will be passed as accepted. No iptables rules after the queue will be processed. Though snort can only be used with one queue, you can use the same queue number in multiple tables: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1526 99439 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 657 115K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1