NAME
ssdeep - Computes context triggered piecewise hashes
SYNOPSIS
ssdeep [-m <file>] [-k <file>] [-vprdsblcxa] [-t val] [FILES]
ssdeep [-V|h]
DESCRIPTION
Computes a checksum based on context triggered piecewise hashes for
each input file. If requested, the program matches those checksums
against a file of known checksums and reports any possible matches. It
can also examine one or more of signatures and find any matches in
those signatures. Output is written to standard out and errors to
standard error. Input from standard input is not supported.
-m <file>
Load the file of known hashes to be used for matching. This file
must be a previous output of the program and have the correct
header. Displays only those files that match a known file and
what file they matched against. Although filenames may not
contain Unicode characters, they can hold hashes with Unicode
filenames. May not be used with the -k or -x flags.
-k <file>
Compare the known signatures in the specified file to the pre-
computed signatures in FILES. That is, both the file specified
here and the input FILES should contain fuzzy hashes already.
This flag can be used multiple times to load more known
signatures. May not be used with the -m or -x flags.
-v Verbose mode. The name of each file is printed to standard error
as it is being hashed.
-p Pretty matching mode. Computes signatures for all input files
and then display all matches between files. That is, if file A
matches file B, displays "A matches B" and "B matches A" but not
"A matches A". Each file’s information is grouped and separated
by newlines. This flag may be used with the -m flag, but not
the -d flag.
-r Enables recursive mode. All subdirectories are traversed.
Please note that recursive mode cannot be used to examine all
files of a given file extension. For example, invoking the
program with -r *.txt will examine all files in directories that
end in .txt. If you want to process all files in a directory
tree with the .txt suffix, try using the find(1) command.
-d Enables directory mode. In this mode, all of the FILES are
examined and a signature is computed for each. If the signature
for any files matches any of the previously computed signatures,
a match is displayed just like the -d mode. This flag may also
be used in conjunction with the -m mode, but with the -p mode.
-s Silent mode. All error messages are suppressed.
-b Enables bare mode. Strips any leading directory information from
displayed filenames. This flag may not be used in conjunction
with the -l flag.
-l Enables relative file paths. Instead of printing the absolute
path for each file, displays the relative file path as indicated
on the command line. This flag may not be used in conjunction
with the -b flag.
-c Enables comma separated output mode. In any of the matching
modes -d, -p, or -m, displays the results as input file, known
file, matching score.
-x Enables signature file matching. The input FILES are assumed to
contain ssdeep formatted signatures. All of the signatures in
these FILES are loaded into memory and compared against each
other. All matches are displayed, except for matches that have
the same filename and come from the same input file. May not be
used with the -m or -k flags.
-a Displays all matches in any of the matching mode, regardless of
score. Yes, this displays all ’matches’, even if the match
score is zero.
-t <val>
In any of the matching modes, only displays matches whose match
score is above the given value.
-h Show a help screen and exit.
-V Show the version number and exit.
RETURN VALUE
Returns 0 on success, 1 if there is a problem. Read errors, permission
denied, and encountering directories while not in recursive mode are
still considered successes. Problems are things like being unable to
load the matching file, specifying both bare and relative paths, etc.
AUTHOR
ssdeep was written by Jesse Kornblum, ManTech International Corporation
research (%at%) jessekornblum dott com
COPYRIGHT
This program is Copyright (C) 2006-2010 ManTech International
Corporation and is licensed under the terms of the General Public
License. See the file COPYING for details.
SEE ALSO
This program is based on SpamSum by Dr. Andrews Tridgell.
http://www.samba.org/ftp/unpacked/junkcode/spamsum/