Hi to the Suricata community,
Suricata & Evebox spotted a potential risk about a DNS query that was said it could be linked to the Revil ransomware.
It may be of course a false positive and I would have kept that as a personal issue to look at on my own, but it happened at the same time that I was using Gnome software to download an update for Fedora 39 to upgrade to Fedora 40.
Two things happening simultaneously are of course not necessarily correlated, but in such case, I would like to rule out that it is not linked to a download that might impact others (even that’s not very likely).
Please see further detail here on the Fedora discussions forum :
Configuration :
- Suricata version : 7.0.5 RELEASE
- Linux distribution : Fedora 39 then upgrade to Fedora 40
- Suricata installed from packages, running with Evebox
Rule & identified signature:
| Signature |  -  Requête DNS  →  Possible C2  Rançongiciel REvil/Sodinokibi |
|---|---|
| Category | A Network Trojan was detected |
| Severity | 1 |
| Signature ID | 2007250157 |
| Generator ID | 1 |
| Revision | 1 |
Is there a way to find out the process please that made that dns query - there is no trace of the queried website (which I don’t use) in the browsing history of the 2 browsers - or could anyone share advice to check such kind of event ?
Many thanks and kind regards,
Alex
