Testing Default Detections
Prerequisites
Before you can test Sophos Linux Sensor (SLS) detections, you must install SLS and the default detections must be applied. See Installing Sophos Linux Sensor.
Testing Sophos Linux Sensor detections
Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. You can trigger any alert as a test. The following detections are simple ways trigger a test alert:
- The Test Alert policy in the default content package
- Cryptocurrency miner detected
-
Make sure SLS is started on the host that you wish to test. Run the following command:
systemctl status sophoslinuxsensor
Sample output:
vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor ● sophoslinuxsensor.service - Sophos Linux Sensor Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago Main PID: 26137 (sophoslinuxsens) Tasks: 20 (limit: 2245) Memory: 42.0M CGroup: /system.slice/sophoslinuxsensor.service ├─26137 /usr/local/bin/sophoslinuxsensor ├─26149 runtimedetections-trigger └─26151 /usr/local/bin/perf-sensor ... May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z INFO 32 policies configured ...
-
Run the following command to trigger the Test Alert policy:
sophoslinuxsensor -test-alert
Sample output:
2022-05-17T15:28:31.470Z INFO config "/etc/sophos/runtimedetections-rules.yaml" has been read Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917) 2022-05-17T15:28:31.472Z INFO using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml" 2022-05-17T15:28:31.474Z INFO Alert testing command executed, exiting
You should see the following alert:
May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
You will also see the alert in your configured alert output. SLS outputs alerts to
stdout
by default.
-
Make sure SLS is started on the host that you wish to test. Run the following command:
systemctl status sophoslinuxsensor
Sample output:
vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor ● sophoslinuxsensor.service - Sophos Linux Sensor Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago Main PID: 26137 (sophoslinuxsens) Tasks: 20 (limit: 2245) Memory: 42.0M CGroup: /system.slice/sophoslinuxsensor.service ├─26137 /usr/local/bin/sophoslinuxsensor ├─26149 runtimedetections-trigger └─26151 /usr/local/bin/perf-sensor ... May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z INFO 32 policies configured ...
-
Run the following command to create a file that will trigger the cryptocurrency miner detected policy:
cp `which ls` xmrig
-
Run the following command to execute the file and trigger the detection:
./xmrig
You should see the following alert:
May 17 15:30:17 vagrant sophoslinuxsensor[26137]: Alert triggered: Cryptocurrency Miner Detected
You will also see the alert in your configured alert output. SLS outputs alerts to
stdout
by default.
Keeping SLS detections up to date
If you have installed SLS content using a standard package manager, updates will be made available in the SLS package repository, much the same as the sensor, and will adhere to the system update management policies you have in place (e.g. weekly apt
updates).