Linux command
ssdeep 命令
文件
复制后可按需替换文件名、目录或参数。
常用示例
Compute fuzzy hash
ssdeep [file1] [file2]
Compute hashes recursively
ssdeep -r [directory/]
Compare files
ssdeep -p [file1] [file2] [file3]
Match files against known hashes
ssdeep -m [known_hashes.txt] [files_to_check]
Compare two hash files
ssdeep -k [known.txt] [computed.txt]
Set match threshold
ssdeep -p -t [50] [files]
Output in CSV format
ssdeep -c [files]
说明
ssdeep computes context-triggered piecewise hashes (CTPH), also called fuzzy hashes. Unlike cryptographic hashes that produce completely different outputs for slightly different inputs, fuzzy hashes can identify files that are similar but not identical. The tool is useful for malware analysis, identifying modified documents, finding near-duplicate files, and digital forensics. Two files with a match score above zero share some common sequences of bytes. Scores range from 0 (no match) to 100 (very similar or identical). Output format includes the block size, two hash components, and the filename. This output can be saved and used later for matching with the -m or -k options.
参数
- -m _file_
- Load known hashes from file and match against computed hashes from input files.
- -k _file_
- Compare known signatures in file against pre-computed signatures in input files.
- -p
- Pretty matching mode. Compare all input files against each other.
- -d
- Match each file against known set, then add its hash to the known set.
- -r
- Recursive mode. Traverse all subdirectories.
- -t _val_
- Match threshold (0-100). Only display matches above this score. Default: 0.
- -a
- Display all matches regardless of score.
- -v
- Verbose mode. Print filename to stderr while hashing.
- -b
- Use bare filenames (no path) in output.
- -l
- Use relative paths in output.
- -c
- Output in CSV format.
- -s
- Silent mode. Suppress warnings.
- -x
- Display signature with filename (compact output).
FAQ
What is the ssdeep command used for?
ssdeep computes context-triggered piecewise hashes (CTPH), also called fuzzy hashes. Unlike cryptographic hashes that produce completely different outputs for slightly different inputs, fuzzy hashes can identify files that are similar but not identical. The tool is useful for malware analysis, identifying modified documents, finding near-duplicate files, and digital forensics. Two files with a match score above zero share some common sequences of bytes. Scores range from 0 (no match) to 100 (very similar or identical). Output format includes the block size, two hash components, and the filename. This output can be saved and used later for matching with the -m or -k options.
How do I run a basic ssdeep example?
Run `ssdeep [file1] [file2]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -m _file_ do in ssdeep?
Load known hashes from file and match against computed hashes from input files.