Skip to content

Testing Default Detections

Prerequisites

Before you can test Sophos Linux Sensor (SLS) detections, you must install SLS and the default detections must be applied. See Installing Sophos Linux Sensor.

Testing Sophos Linux Sensor detections

Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. You can trigger any alert as a test. The following detections are simple ways trigger a test alert:

  • The Test Alert policy in the default content package
  • Cryptocurrency miner detected

  1. Make sure SLS is started on the host that you wish to test. Run the following command:

    systemctl status sophoslinuxsensor

    Sample output:

    vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor
● sophoslinuxsensor.service - Sophos Linux Sensor
    Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago
  Main PID: 26137 (sophoslinuxsens)
    Tasks: 20 (limit: 2245)
    Memory: 42.0M
    CGroup: /system.slice/sophoslinuxsensor.service
            ├─26137 /usr/local/bin/sophoslinuxsensor
            ├─26149 runtimedetections-trigger
            └─26151 /usr/local/bin/perf-sensor

...
May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z        INFO        32 policies configured
...

  2. Run the following command to trigger the Test Alert policy: 

    sophoslinuxsensor -test-alert

    Sample output:

    2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting

    You should see the following alert:

    May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester

    You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

  1. Make sure SLS is started on the host that you wish to test. Run the following command:

    systemctl status sophoslinuxsensor

    Sample output:

    vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor
● sophoslinuxsensor.service - Sophos Linux Sensor
    Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago
  Main PID: 26137 (sophoslinuxsens)
    Tasks: 20 (limit: 2245)
    Memory: 42.0M
    CGroup: /system.slice/sophoslinuxsensor.service
            ├─26137 /usr/local/bin/sophoslinuxsensor
            ├─26149 runtimedetections-trigger
            └─26151 /usr/local/bin/perf-sensor

...
May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z        INFO        32 policies configured
...

  2. Run the following command to create a file that will trigger the cryptocurrency miner detected policy:

    cp `which ls` xmrig

  3. Run the following command to execute the file and trigger the detection:

    ./xmrig

    You should see the following alert:

    May 17 15:30:17 vagrant sophoslinuxsensor[26137]: Alert triggered: Cryptocurrency Miner Detected

    You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Keeping SLS detections up to date

If you have installed SLS content using a standard package manager, updates will be made available in the SLS package repository, much the same as the sensor, and will adhere to the system update management policies you have in place (e.g. weekly apt updates).