-
Notifications
You must be signed in to change notification settings - Fork 115
/
ssdeep.1
162 lines (138 loc) · 5.14 KB
/
ssdeep.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
.TH SSDEEP "1" "Version 2.14.2 \- TO BE DETERMINED" "ssdeep Project" "SSDEEP COMMAND"
.SH NAME
ssdeep - Computes context triggered piecewise hashes (fuzzy hashes)
.SH SYNOPSIS
.B ssdeep [-m <file>] [-k <file>] [-vdprgsblcxa] [-t val] [FILES]
.br
.B ssdeep [-V|h]
.SH DESCRIPTION
.PP
Computes a signature based on context triggered piecewise hashes
for each input file, also called a fuzzy hash.
If requested, the program matches those signatures against
a file of known signatures and reports any possible matches.
It can also examine one or more files of signatures and find any
matches in those files.
Output is written to standard out and errors to standard error.
.TP
\fB\-m <file>\fR
Loads the specified file of known hashes to be used for matching. This file must
be a previous output of the program. The program
then hashes each entry in FILES and compares these signatures to the known signatures.
Any matches which score above the threshold are displayed.
This flag may be used multiple times to load more known signatures.
This flag may not be used with the \-k or \-x flags.
.TP
\fB\-k <file>\fR
Load the specified file of known hashes to be used for matching. This file must
be a previous output of the program. The program
then treats each entry in FILES as a set of known hashes as well. The hashes in these
FILES are compared to the known hashes from this file. Matches which score
above the threshold are displayed. Both the file specified here and the
input FILES should contain fuzzy hashes.
This flag may be used multiple times to load more known signatures.
This flag may not be used with the \-m, \-d, or \-p flags.
.TP
\fB\-v\fR
Verbose mode. The name of each file is printed to standard error
as it is being hashed.
.TP
\fB\-d\fR
Computes a signature for each entry in the FILES and compares it to the set
of known signatures. Matches which score above the threshold are displayed. The
computed signature is then added to the set of known signatures.
This flag may not be used with the \-k or \-x flags.
.TP
\fB\-p\fR
Works like the \-d flag, but displays all matches for each file. That is,
for two files A and B which match score above the threshold, displays
"A matches B" and "B matches A".
This flag may not be used with the \-k or \-x flags.
.TP
\fB\-r\fR
Enables recursive mode. All subdirectories are traversed.
Please note that recursive mode cannot be used to examine all
files of a given file extension. For example, invoking the program with
\fB\-r *.txt\fR will examine all files in directories that end in .txt.
If you want to process all files in a directory tree with the .txt suffix,
try using the \fBfind(1)\fR command.
.TP
\fB\-g\fR
Similar files are grouped together into clusters. This can be handy
for finding more similar files. That is, if you are searching for file
A, which matches B, anything which matches B will also be included in
the cluster.
.TP
\fB\-s\fR
Silent mode. All error messages are suppressed.
.TP
\fB\-b\fR
Enables bare mode. Strips any leading directory information from
displayed filenames.
This flag may not be used in conjunction with the \fB\-l\fR flag.
.TP
\fB\-l\fR
Enables relative file paths. Instead of printing the absolute path for
each file, displays the relative file path as indicated on the command
line. This flag may not be used in conjunction with the \fB\-b\fR flag.
.TP
\fB\-c\fR
Enables comma separated output mode. In any of the matching modes
\-d, \-p, or \-m,
displays the results as input file, known file, matching score.
.TP
\fB\-x\fR
Signature file matching.
Each entry in FILES must contain signatures generated by a previous output
of the program. Each signature is loaded and compared against the set of
known hashes. Match scores above the threshold are displayed. Each signature
is then added to the set of knowns.
This flag may not be used with the \-m, \-d, or \-p flags.
.TP
\fB\-a\fR
Displays all matches in any of the matching mode, regardless of score.
Using the \-a flag displays all results, even if the match score is zero.
.TP
\fB\-t <val>\fR
In any of the matching modes, only display matches when match
score is greater than the given value. The default threshold value is zero.
.TP
\fB\-h\fR
Show a help screen and exit.
.TP
\fB\-V\fR
Show the version number and exit.
.SH RETURN VALUE
Returns 0 on success, 1 if there is a problem.
Read errors, permission denied, and encountering directories while
not in recursive mode are still considered successes. Problems are
things like being unable to load the matching file, specifying
both bare and relative paths, etc.
.SH AUTHOR
ssdeep was written by Jesse Kornblum of Facebook,
.br
.SH COPYRIGHT
.PP
Copyright (C) 2002 Andrew Tridgell
.br
Copyright (C) 2006, 2008, 2010 ManTech International Corporation
.br
Copyright (C) 2012 Kyrus
.br
Copyright (C) 2013 Helmut Grohne
.br
Copyright (C) 2013, 2014 Facebook
.br
Copyright (C) 2014 kikairoya
.br
Copyright (C) 2014 Jesse Kornblum
.br
Copyright (C) 2017 Tsukasa OI
.PP
This program is licensed under the terms of the General Public License.
See the file COPYING for details.
.SH SEE ALSO
This program is based on SpamSum by Dr. Andrews Tridgell.
.br
http://www.samba.org/ftp/unpacked/junkcode/spamsum/