1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
.TH SSDEEP "1" "Version 2.5 \- 6 May 2010" "ManTech International" "ManTech International"
.SH NAME
ssdeep - Computes context triggered piecewise hashes
.SH SYNOPSIS
.B ssdeep [-m <file>] [-k <file>] [-vprdsblcxa] [-t val] [FILES]
.br
.B ssdeep [-V|h]
.SH DESCRIPTION
.PP
Computes a checksum based on context triggered piecewise hashes
for each input file.
If requested, the program matches those checksums against
a file of known checksums and reports any possible matches.
It can also examine one or more of signatures and find any
matches in those signatures.
Output
is written to standard out and errors to standard error.
Input from standard input is not supported.
.TP
\fB\-m <file>\fR
Load the file of known hashes to be used for matching. This file must
be a previous output of the program and have the correct header. Displays
only those files that match a known file and what file they matched
against. Although filenames may not contain Unicode characters, they
can hold hashes with Unicode filenames. May not be used with the
\-k or \-x flags.
.TP
\fB\-k <file>\fR
Compare the known signatures in the specified file to the pre-computed
signatures in FILES. That is, both the file specified here and the
input FILES should contain fuzzy hashes already. This flag can be
used multiple times to load more known signatures.
May not be used with the \-m or \-x flags.
.TP
\fB\-v\fR
Verbose mode. The name of each file is printed to standard error
as it is being hashed.
.TP
\fB\-p\fR
Pretty matching mode. Computes signatures for all input files
and then display all matches between files. That is, if file A matches
file B, displays "A matches B" and "B matches A" but not "A matches A".
Each file's information is grouped and separated by newlines.
This flag may be used with the \fB\-m\fR flag, but not
the \fB\-d\fR flag.
.TP
\fB\-r\fR
Enables recursive mode. All subdirectories are traversed.
Please note that recursive mode cannot be used to examine all
files of a given file extension. For example, invoking the program with
\fB\-r *.txt\fR will examine all files in directories that end in .txt.
If you want to process all files in a directory tree with the .txt suffix,
try using the \fBfind(1)\fR command.
.TP
\fB\-d\fR
Enables directory mode. In this mode, all of the FILES are examined
and a signature is computed for each. If the signature for any files
matches any of the previously computed signatures, a match is displayed
just like the \fB\-d\fR mode. This flag may also be used in conjunction
with the \fB\-m\fR mode, but with the \fB\-p\fR mode.
.TP
\fB\-s\fR
Silent mode. All error messages are suppressed.
.TP
\fB\-b\fR
Enables bare mode. Strips any leading directory information from
displayed filenames.
This flag may not be used in conjunction with the \fB\-l\fR flag.
.TP
\fB\-l\fR
Enables relative file paths. Instead of printing the absolute path for
each file, displays the relative file path as indicated on the command
line. This flag may not be used in conjunction with the \fB\-b\fR flag.
.TP
\fB\-c\fR
Enables comma separated output mode. In any of the matching modes
\-d, \-p, or \-m,
displays the results as input file, known file, matching score.
.TP
\fB\-x\fR
Enables signature file matching. The input FILES are assumed to contain
ssdeep formatted signatures. All of the signatures in these FILES are
loaded into memory and compared against each other. All matches are
displayed, except for matches that have the same filename and
come from the same input file.
May not be used with the \-m or \-k flags.
.TP
\fB\-a\fR
Displays all matches in any of the matching mode, regardless of score.
Yes, this displays all 'matches', even if the match score is zero.
.TP
\fB\-t <val>\fR
In any of the matching modes, only displays matches whose match
score is above the given value.
.TP
\fB\-h\fR
Show a help screen and exit.
.TP
\fB\-V\fR
Show the version number and exit.
.SH RETURN VALUE
Returns 0 on success, 1 if there is a problem.
Read errors, permission denied, and encountering directories while
not in recursive mode are still considered successes. Problems are
things like being unable to load the matching file, specifying
both bare and relative paths, etc.
.SH AUTHOR
ssdeep was written by Jesse Kornblum, ManTech International Corporation
.br
research (%at%) jessekornblum dott com
.PP
.SH COPYRIGHT
This program is Copyright (C) 2006-2010 ManTech International Corporation
and is licensed under the terms of the General Public License. See the
file COPYING for details.
.SH SEE ALSO
This program is based on SpamSum by Dr. Andrews Tridgell.
.br
http://www.samba.org/ftp/unpacked/junkcode/spamsum/
|
