ssdeep output parity on small files

Question

ssdeep output parity on small files

zdiff opened this issue 7 years ago · 3 comments

While using ssdeep 2.13 from https://ssdeep-project.github.io/ssdeep/index.html, I receive the following output on small files:

ssdeep,1.1--blocksize:hash:hash,filename
3:I3VOCdKHObbERXsvPUZdIK9LKL9v:IltdBEx5Iv,"/etc/apt/apt.conf"
ssdeep: Did not process files large enough to produce meaningful results

However, when using github.com/glaslos/ssdeep, I receive the following output on small files:

did not process files large enough to produce meaningful results

Can we have an option to also return the fuzzy hash on small files to reproduce ssdeep output, regardless if it results in unreliable output?

Answer 1 · 2018-06-28T09:54:33.000Z

Right now we are bailing early if the files size is below the minimum size (4kb). Calculating the partial hash would result in spending CPU cycles on something you can't use. But I do get your point about the output not matching the reference implementation. How about we add a flag that enforces the calculation of the hash anyway?

Answer 2 · 2018-06-28T13:05:15.000Z

Try this branch and use the --force flag: https://github.com/glaslos/ssdeep/tree/force_flag

Answer 3 · 2018-07-01T02:31:11.000Z

This change is working well for me. I appreciate how quickly you we able to create a POC.