SSDEEP(1) Facebook SSDEEP(1)NAMEssdeep - Computes context triggered piecewise hashes (fuzzy hashes)
SYNOPSISssdeep [-m <file>] [-k <file>] [-vdprgsblcxa] [-t val] [FILES]
ssdeep [-V|h]
DESCRIPTION
Computes a signature based on context triggered piecewise hashes for
each input file, also called a fuzzy hash. If requested, the program
matches those signatures against a file of known signatures and reports
any possible matches. It can also examine one or more files of signa‐
tures and find any matches in those files. Output is written to stan‐
dard out and errors to standard error.
-m <file>
Loads the specified file of known hashes to be used for match‐
ing. This file must be a previous output of the program. The
program then hashes each entry in FILES and compares these sig‐
natures to the known signatures. Any matches which score above
the threshold are displayed. This flag may be used multiple
times to load more known signatures. This flag may not be used
with the -k or -x flags.
-k <file>
Load the specified file of known hashes to be used for matching.
This file must be a previous output of the program. The program
then treats each entry in FILES as a set of known hashes as
well. The hashes in these FILES are compared to the known hashes
from this file. Matches which score above the threshold are dis‐
played. Both the file specified here and the input FILES should
contain fuzzy hashes. This flag may be used multiple times to
load more known signatures. This flag may not be used with the
-m, -d, or -p flags.
-v Verbose mode. The name of each file is printed to standard error
as it is being hashed.
-d Computes a signature for each entry in the FILES and compares it
to the set of known signatures. Matches which score above the
threshold are displayed. The computed signature is then added to
the set of known signatures. This flag may not be used with the
-k or -x flags.
-p Works like the -d flag, but displays all matches for each file.
That is, for two files A and B which match score above the
threshold, displays "A matches B" and "B matches A". This flag
may not be used with the -k or -x flags.
-r Enables recursive mode. All subdirectories are traversed.
Please note that recursive mode cannot be used to examine all
files of a given file extension. For example, invoking the pro‐
gram with -r *.txt will examine all files in directories that
end in .txt. If you want to process all files in a directory
tree with the .txt suffix, try using the find(1) command.
-g Similar files are grouped together into clusters. This can be
handy for finding more similar files. That is, if you are
searching for file A, which matches B, anything which matches B
will also be included in the cluster.
-s Silent mode. All error messages are suppressed.
-b Enables bare mode. Strips any leading directory information from
displayed filenames. This flag may not be used in conjunction
with the -l flag.
-l Enables relative file paths. Instead of printing the absolute
path for each file, displays the relative file path as indicated
on the command line. This flag may not be used in conjunction
with the -b flag.
-c Enables comma separated output mode. In any of the matching
modes -d, -p, or -m, displays the results as input file, known
file, matching score.
-x Signature file matching. Each entry in FILES must contain sig‐
natures generated by a previous output of the program. Each sig‐
nature is loaded and compared against the set of known hashes.
Match scores above the threshold are displayed. Each signature
is then added to the set of knowns. This flag may not be used
with the -m, -d, or -p flags.
-a Displays all matches in any of the matching mode, regardless of
score. Using the -a flag displays all results, even if the
match score is zero.
-t <val>
In any of the matching modes, only display matches when match
score is greater than the given value. The default threshold
value is zero.
-h Show a help screen and exit.
-V Show the version number and exit.
RETURN VALUE
Returns 0 on success, 1 if there is a problem. Read errors, permission
denied, and encountering directories while not in recursive mode are
still considered successes. Problems are things like being unable to
load the matching file, specifying both bare and relative paths, etc.
AUTHORssdeep was written by Jesse Kornblum of Facebook,
research@jessekornblum.com
COPYRIGHT
This program is Copyright (C) 2014 Facebook and is licensed under the
terms of the General Public License. See the file COPYING for details.
SEE ALSO
This program is based on SpamSum by Dr. Andrews Tridgell.
http://www.samba.org/ftp/unpacked/junkcode/spamsum/
Facebook Version 2.13 - 24 Apr 2015 SSDEEP(1)
