Cisco Cisco FirePOWER Appliance 7020
37-16
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Servers in the Host Profile
The server detail may also display updated sub-server information known about the selected server.
Finally, the server detail may display the server banner, which appears below the server details when you
view a server from the host profile.
Finally, the server detail may display the server banner, which appears below the server details when you
view a server from the host profile.
Server banners provide additional information about a server that may help you identify the server. The
system cannot identify or detect a misidentified server when an attacker purposely alters the server
banner string. The server banner displays the first 256 bytes of the first packet detected for the server. It
is collected only once, the first time the server is detected by the system. Banner content is listed in two
columns, with a hexadecimal representation on the left and a corresponding ASCII representation on the
right.
system cannot identify or detect a misidentified server when an attacker purposely alters the server
banner string. The server banner displays the first 256 bytes of the first packet detected for the server. It
is collected only once, the first time the server is detected by the system. Banner content is listed in two
columns, with a hexadecimal representation on the left and a corresponding ASCII representation on the
right.
Note
To view server banners, you must enable the
Capture Banners
check box in the network discovery policy.
This option is disabled by default.
Descriptions of the information provided in the server detail follow.
Protocol
The name of the protocol the server uses.
Port
The port where the server runs.
Hits
The number of times the server was detected by a Cisco managed device or Nmap. Note that the
number of hits is
number of hits is
0
for servers imported through host input, unless the system detects traffic for that
server.
Last Used
The time and date the server was last detected. Note that the last used time for host input data reflects
the initial data import time, unless the system detects new traffic for that server. Note also that
scanner and application data imported through the host input feature times out according to settings
in the system policy, but user input through the Defense Center web interface does not time out.
the initial data import time, unless the system detects new traffic for that server. Note also that
scanner and application data imported through the host input feature times out according to settings
in the system policy, but user input through the Defense Center web interface does not time out.
Application Protocol
The name of the application protocol used by the server, if known.
Vendor
The server vendor. This field does not appear if the vendor is unknown.
Version
The server version. This field does not appear if the version is unknown.
Source
One of the following values:
–
User:
user_name
–
Application:
app_name
–
Scanner:
scanner_type
(Nmap or scanner added through system policy)