Heuristic phishing URL analyzer for SOC/DFIR workflows

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Duathron from gravatar.com Duathron

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Christian Huhn
  • Tags phishing , url-analysis , security , soc , dfir , homoglyph , cli
  • Requires: Python >=3.11
  • Provides-Extra: llm , dev
Classifiers
Report project as malware

Project description

barb logo

barb

Catch phishing URLs before they catch you.

Heuristic phishing URL analyzer for SOC/DFIR workflows. No API keys. No network requests. Pure offline analysis.

Features

  • 8 heuristic analyzers: entropy, homoglyph, TLD, subdomain, brand impersonation, URL shortener, encoding abuse, IP-based URLs
  • 5-tier verdict: SAFE / LOW_RISK / SUSPICIOUS / HIGH_RISK / PHISHING
  • Zero API keys required for core analysis — works fully offline
  • Output formats: Rich tables, console, JSON, CSV
  • --explain flag: template-based explanation by default, optional LLM (Anthropic Claude, OpenAI)
  • Batch processing: analyze URL lists from files, stdin, or multiple arguments
  • Automation-ready: exit codes (0=safe, 1=suspicious, 2=phishing, 3=error), --threshold filtering
  • IOC defanging: automatic in terminal output (hxxps[://]evil[.]com)
  • Configurable scoring: per-analyzer weights and verdict thresholds via YAML
  • Minimal dependencies: 5 core packages (typer, rich, pydantic, pyyaml, python-dotenv)

Quick Start

Installation

From PyPI:

pip install barb-phish

With LLM support (optional):

pip install barb-phish[llm]

From source:

git clone https://github.com/duathron/barb.git
cd barb
pip install -e ".[dev]"

Usage

Analyze a single URL:

barb analyze https://suspicious-site.tk/paypal-login

Batch analysis from file:

barb analyze -f urls.txt -o json

With explanation:

barb analyze https://pаypal.com --explain

Pipe from stdin:

cat urls.txt | barb analyze -o csv

Output Examples

Rich Output (default)

╭──────────────────────── barb ────────────────────────╮
│ URL       hxxp[://]192[.]168[.]1[.]1/paypal-login    │
│ Verdict   ⚠ SUSPICIOUS                               │
│ Score     4.0                                         │
╰──────────────────────────────────────────────────────╯
 Severity   Analyzer     Finding
 HIGH       ip_url       URL uses IP address instead of domain
 LOW        subdomain    Domain has 4 levels

JSON Output

barb analyze http://evil.tk/login -o json

{
  "url": "http://evil.tk/login",
  "verdict": "SUSPICIOUS",
  "risk_score": 4.0,
  "signals": [
    {"analyzer": "tld", "severity": "MEDIUM", "detail": "Suspicious TLD: .tk"}
  ]
}

Analyzers

Analyzer What it detects Example
Entropy High Shannon entropy in domain/path x7k2m9p.evil.com
Homoglyph Unicode confusable characters pаypal.com (Cyrillic 'а')
TLD Suspicious top-level domains paypal-login.tk
Subdomain Excessive depth / squatting patterns secure.paypal.com.evil.com
Brand Brand name in non-brand domain paypal-secure.evil.com
Shortener Known URL shortener services bit.ly/abc123
Encoding Percent-encoding / punycode abuse %70%61%79pal.com
IP URL IP address instead of domain http://192.168.1.1/login

Configuration

Create ~/.barb/config.yaml:

scoring:
  weights:
    entropy: 1.0
    homoglyph: 1.5
    brand: 1.2
  thresholds:
    suspicious: 4
    phishing: 13

explain:
  provider: "template"     # template | anthropic | openai
  send_url: true           # send defanged URL to LLM

output:
  default_format: "rich"
  quiet: false

Environment variable: Set BARB_LLM_KEY for LLM API key.

Comparison

Feature barb VirusTotal URL Scan URLScan.io PhishTank
Offline analysis Yes No No No
API key required No Yes Yes Optional
Heuristic detection 8 analyzers Signature-based Browser-based Community
CLI tool Yes Web/API Web/API Web/API
LLM explanation Optional No No No
Self-hosted Yes No No No

Use barb for offline heuristic URL triage. Use vex for VirusTotal IOC enrichment. Pipe barb JSON output into vex for full enrichment (v1.1).

Exit Codes

Code Meaning
0 SAFE or LOW_RISK
1 SUSPICIOUS or HIGH_RISK
2 PHISHING
3 Error (invalid input, missing file)

Development

git clone https://github.com/duathron/barb.git
cd barb
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest tests/ -v

Security

  • No HTTP requests are ever made to analyzed URLs
  • All analysis is pure string-based heuristics
  • URL length capped at 2048 characters
  • Config directory secured with 0o700 permissions
  • LLM dependencies are optional extras — core install has zero network deps

License

MIT License. See LICENSE.md.

Author: Christian Huhn

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Duathron from gravatar.com Duathron

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Christian Huhn
  • Tags phishing , url-analysis , security , soc , dfir , homoglyph , cli
  • Requires: Python >=3.11
  • Provides-Extra: llm , dev
Classifiers

Release history Release notifications | RSS feed

This version

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

barb_phish-1.1.0.tar.gz (30.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

barb_phish-1.1.0-py3-none-any.whl (34.2 kB view details)

Uploaded Python 3

File details

Details for the file barb_phish-1.1.0.tar.gz.

File metadata

  • Download URL: barb_phish-1.1.0.tar.gz
  • Upload date:
  • Size: 30.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for barb_phish-1.1.0.tar.gz
Algorithm Hash digest
SHA256 6d83711ae2740c237acfa96abf4d682d2fd5a123352d32b15485ba38f2aec447
MD5 8dcc0b1c509d1b275af18686b6ed5730
BLAKE2b-256 150b5705bae66f9c8eea8ae15aa059a0f82e05d0cf56aceee4aabd2131fd7bdb

See more details on using hashes here.

Provenance

The following attestation bundles were made for barb_phish-1.1.0.tar.gz:

Publisher: publish.yml on duathron/barb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file barb_phish-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: barb_phish-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 34.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for barb_phish-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 430fb5abe8016d8eccd64dad6272e3a4008a2a89d35b888749da8e166d25cc56
MD5 fce5f396a607a0e5c2c9ffe9ee057929
BLAKE2b-256 ade033bf0869d67e01db54fa74abc666f7906894b984662332c80f3fa384333d

See more details on using hashes here.

Provenance

The following attestation bundles were made for barb_phish-1.1.0-py3-none-any.whl:

Publisher: publish.yml on duathron/barb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page