Testing Default Detections
Prerequisites
- Download and verify the installation and content packages. See How to download and verify the deb and rpm packages for Sophos Linux Sensor.
- Sophos Linux Sensor (SLS) must be installed and default detections must be applied. See Installing Sophos Linux Sensor.
Testing Sophos Linux Sensor detections
Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to trigger a test alert using the Test Alert policy in the default content package.
-
Make sure SLS is started on the host that you wish to test. Run the following command:
systemctl status sophoslinuxsensor
Sample output:
vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor ● sophoslinuxsensor.service - Sophos Linux Sensor Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago Main PID: 26137 (sophoslinuxsens) Tasks: 20 (limit: 2245) Memory: 42.0M CGroup: /system.slice/sophoslinuxsensor.service ├─26137 /usr/local/bin/sophoslinuxsensor ├─26149 runtimedetections-trigger └─26151 /usr/local/bin/perf-sensor ... May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z INFO 32 policies configured ...
-
Run the following command to trigger the Test Alert policy:
sophoslinuxsensor --test-alert
Sample output:
2022-05-17T15:28:31.470Z INFO config "/etc/sophos/runtimedetections-rules.yaml" has been read Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917) 2022-05-17T15:28:31.472Z INFO using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml" 2022-05-17T15:28:31.474Z INFO Alert testing command executed, exiting
-
You should see the following alert:
$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
You will also see the alert in your configured alert output. SLS outputs alerts to
stdout
by default.