https://zrubi.hu/en/2017/traffic-analysis-qubes/
Excerpt:
[quote] One of the best thing in Qubes OS that you can use special type of VMs called ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and the NetVMs see it as an AppVM.
Because of that You can place a ProxyVM between your AppVMs and Your NetVM. This way we can create an ideal topology for traffic analysis. One of the best applications for such task is Suricata. The free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing – however this article only covers the Qubes integration of this product. [/quote]