“dom0 is surely not the place for such things…”
Exactly. It would just open up another attack path.
E.g. considering the numerous vulnerabilities in AV software they even seem to do more harm than good for some people…
- A traditional IDS can be used in a proxy VM,
see my PoC:
Traffic Analysis in Qubes OS – Zrubi.hu
Honestly I’m not sure about the value of IDS nowadays though. Considering
most (incl. malware) traffic is TLS encrypted nowadays and one usually doesn’t want to mitm/break TLS for oneself except in very specific cases, an IDS nowadays doesn’t do much more than checking for “bad” DNS requests and IPs. You can also do that with netflow sensors and keep all traffic data pretty much for forever (1MB per day or so).
Side Note: Proxy VMs are quite useful to break TLS if needed… I succeeded with sslsplit.
The ‘new generation’ of IDS might be running in a privileged VM:
https://drakvuf.com/ - for Xenor (Trend Micro) Deep Securtiy - for VMware
Thanks for mentioning that one as I didn’t know it and it looks promising!
It probably opens up a few attack paths as well, but might be worth it under certain circumstances.