Suricata & Evebox spotting potential Revil DNS query on Fedora download -?

Hi to the Suricata community,

Suricata & Evebox spotted a potential risk about a DNS query that was said it could be linked to the Revil ransomware.

It may be of course a false positive and I would have kept that as a personal issue to look at on my own, but it happened at the same time that I was using Gnome software to download an update for Fedora 39 to upgrade to Fedora 40.

Two things happening simultaneously are of course not necessarily correlated, but in such case, I would like to rule out that it is not linked to a download that might impact others (even that’s not very likely).

Please see further detail here on the Fedora discussions forum :

Configuration :

  • Suricata version : 7.0.5 RELEASE
  • Linux distribution : Fedora 39 then upgrade to Fedora 40
  • Suricata installed from packages, running with Evebox

Rule & identified signature:

Signature :paw_prints: - :skull_and_crossbones: Requête DNS :globe_with_meridians::control_knobs: Possible C2 :lock: Rançongiciel REvil/Sodinokibi
Category A Network Trojan was detected
Severity 1
Signature ID 2007250157
Generator ID 1
Revision 1

Is there a way to find out the process please that made that dns query - there is no trace of the queried website (which I don’t use) in the browsing history of the 2 browsers - or could anyone share advice to check such kind of event ?

Many thanks and kind regards,


You’d probably need EDR tools to narrow it down to a process. But it’s most likely a legitimate domain ended up on a list. There are other rules that look for signs of it outside of DNS as well, which may be better signs of it actually being on your network.

1 Like

HI Jason @ish , many thanks for your reply, much appreciated.

For the moment, no access to EDR (yet) but great to have tools such as Suricata & Evebox :slight_smile: