Skip to content

Testing Default Detections

Prerequisites

Before you can test Sophos Linux Sensor (SLS) detections, you must install SLS and the default detections must be applied. See Installing Sophos Linux Sensor.

Testing Sophos Linux Sensor detections

Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. You can trigger any alert as a test. The following detections are simple ways trigger a test alert:

  • The Test Alert policy in the default content package
  • Cryptocurrency miner detected
  1. Make sure SLS is started on the host that you wish to test. Run the following command:

    systemctl status sophoslinuxsensor
    

    Sample output:

    vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor
    ● sophoslinuxsensor.service - Sophos Linux Sensor
        Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled)
        Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago
      Main PID: 26137 (sophoslinuxsens)
        Tasks: 20 (limit: 2245)
        Memory: 42.0M
        CGroup: /system.slice/sophoslinuxsensor.service
                ├─26137 /usr/local/bin/sophoslinuxsensor
                ├─26149 runtimedetections-trigger
                └─26151 /usr/local/bin/perf-sensor
    
    ...
    May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z        INFO        32 policies configured
    ...
    
  2. Run the following command to trigger the Test Alert policy:

    sophoslinuxsensor -test-alert
    

    Sample output:

    2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
    Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
    2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
    2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting
    

    You should see the following alert:

    May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
    

    You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

  1. Make sure SLS is started on the host that you wish to test. Run the following command:

    systemctl status sophoslinuxsensor
    

    Sample output:

    vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor
    ● sophoslinuxsensor.service - Sophos Linux Sensor
        Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled)
        Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago
      Main PID: 26137 (sophoslinuxsens)
        Tasks: 20 (limit: 2245)
        Memory: 42.0M
        CGroup: /system.slice/sophoslinuxsensor.service
                ├─26137 /usr/local/bin/sophoslinuxsensor
                ├─26149 runtimedetections-trigger
                └─26151 /usr/local/bin/perf-sensor
    
    ...
    May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z        INFO        32 policies configured
    ...
    
  2. Run the following command to create a file that will trigger the cryptocurrency miner detected policy:

    cp `which ls` xmrig
    
  3. Run the following command to execute the file and trigger the detection:

    ./xmrig
    

    You should see the following alert:

    May 17 15:30:17 vagrant sophoslinuxsensor[26137]: Alert triggered: Cryptocurrency Miner Detected
    

    You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Keeping SLS detections up to date

If you have installed SLS content using a standard package manager, updates will be made available in the SLS package repository, much the same as the sensor, and will adhere to the system update management policies you have in place (e.g. weekly apt updates).