Heuristic phishing URL analyzer for SOC/DFIR workflows

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Duathron from gravatar.com Duathron

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Christian Huhn
  • Tags phishing , url-analysis , security , soc , dfir , homoglyph , cli
  • Requires: Python >=3.11
  • Provides-Extra: llm , dev
Classifiers
Report project as malware

Project description

barb logo

barb

Catch phishing URLs before they catch you.

Heuristic phishing URL analyzer for SOC/DFIR workflows. No API keys. No network requests. Pure offline analysis.

Features

  • 8 heuristic analyzers: entropy, homoglyph, TLD, subdomain, brand impersonation, URL shortener, encoding abuse, IP-based URLs
  • 5-tier verdict: SAFE / LOW_RISK / SUSPICIOUS / HIGH_RISK / PHISHING
  • Zero API keys required for core analysis — works fully offline
  • Output formats: Rich tables, console, JSON, CSV
  • --explain flag: template-based explanation by default, optional LLM (Anthropic Claude, OpenAI)
  • Batch processing: analyze URL lists from files, stdin, or multiple arguments
  • Automation-ready: exit codes (0=safe, 1=suspicious, 2=phishing, 3=error), --threshold filtering
  • IOC defanging: automatic in terminal output (hxxps[://]evil[.]com)
  • Configurable scoring: per-analyzer weights and verdict thresholds via YAML
  • Minimal dependencies: 5 core packages (typer, rich, pydantic, pyyaml, python-dotenv)

Quick Start

Installation

From PyPI:

pip install barb-phish

With LLM support (optional):

pip install barb-phish[llm]

From source:

git clone https://github.com/duathron/barb.git
cd barb
pip install -e ".[dev]"

Usage

Analyze a single URL:

barb analyze https://suspicious-site.tk/paypal-login

Batch analysis from file:

barb analyze -f urls.txt -o json

With explanation:

barb analyze https://pаypal.com --explain

Pipe from stdin:

cat urls.txt | barb analyze -o csv

Output Examples

Rich Output (default)

╭──────────────────────── barb ────────────────────────╮
│ URL       hxxp[://]192[.]168[.]1[.]1/paypal-login    │
│ Verdict   ⚠ SUSPICIOUS                               │
│ Score     4.0                                         │
╰──────────────────────────────────────────────────────╯
 Severity   Analyzer     Finding
 HIGH       ip_url       URL uses IP address instead of domain
 LOW        subdomain    Domain has 4 levels

JSON Output

barb analyze http://evil.tk/login -o json

{
  "url": "http://evil.tk/login",
  "verdict": "SUSPICIOUS",
  "risk_score": 4.0,
  "signals": [
    {"analyzer": "tld", "severity": "MEDIUM", "detail": "Suspicious TLD: .tk"}
  ]
}

Analyzers

Analyzer What it detects Example
Entropy High Shannon entropy in domain/path x7k2m9p.evil.com
Homoglyph Unicode confusable characters pаypal.com (Cyrillic 'а')
TLD Suspicious top-level domains paypal-login.tk
Subdomain Excessive depth / squatting patterns secure.paypal.com.evil.com
Brand Brand name in non-brand domain paypal-secure.evil.com
Shortener Known URL shortener services bit.ly/abc123
Encoding Percent-encoding / punycode abuse %70%61%79pal.com
IP URL IP address instead of domain http://192.168.1.1/login

Configuration

Create ~/.barb/config.yaml:

scoring:
  weights:
    entropy: 1.0
    homoglyph: 1.5
    brand: 1.2
  thresholds:
    suspicious: 4
    phishing: 13

explain:
  provider: "template"     # template | anthropic | openai
  send_url: true           # send defanged URL to LLM

output:
  default_format: "rich"
  quiet: false

Environment variable: Set BARB_LLM_KEY for LLM API key.

Comparison

Feature barb VirusTotal URL Scan URLScan.io PhishTank
Offline analysis Yes No No No
API key required No Yes Yes Optional
Heuristic detection 8 analyzers Signature-based Browser-based Community
CLI tool Yes Web/API Web/API Web/API
LLM explanation Optional No No No
Self-hosted Yes No No No

Use barb for offline heuristic URL triage. Use vex for VirusTotal IOC enrichment. Pipe barb JSON output into vex for full enrichment (v1.1).

Exit Codes

Code Meaning
0 SAFE or LOW_RISK
1 SUSPICIOUS or HIGH_RISK
2 PHISHING
3 Error (invalid input, missing file)

Development

git clone https://github.com/duathron/barb.git
cd barb
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest tests/ -v

Security

  • No HTTP requests are ever made to analyzed URLs
  • All analysis is pure string-based heuristics
  • URL length capped at 2048 characters
  • Config directory secured with 0o700 permissions
  • LLM dependencies are optional extras — core install has zero network deps

License

MIT License. See LICENSE.md.

Author: Christian Huhn

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Duathron from gravatar.com Duathron

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Christian Huhn
  • Tags phishing , url-analysis , security , soc , dfir , homoglyph , cli
  • Requires: Python >=3.11
  • Provides-Extra: llm , dev
Classifiers

Release history Release notifications | RSS feed

1.7.0

1.6.1

1.6.0

1.5.1

1.5.0

1.4.1

1.4.0

1.3.0

This version

1.2.0

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

barb_phish-1.2.0.tar.gz (44.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

barb_phish-1.2.0-py3-none-any.whl (42.9 kB view details)

Uploaded Python 3

File details

Details for the file barb_phish-1.2.0.tar.gz.

File metadata

  • Download URL: barb_phish-1.2.0.tar.gz
  • Upload date:
  • Size: 44.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for barb_phish-1.2.0.tar.gz
Algorithm Hash digest
SHA256 4608b8268a7eb1a769956fc699f64b71e71c3056720a33f4ad9a851e06bb7d74
MD5 c6e77020bed94210b15f14350e14c63e
BLAKE2b-256 e6cb2451c6be491c777ee223ab6597c9e86b649a89c141e72dd77634917ba4c5

See more details on using hashes here.

Provenance

The following attestation bundles were made for barb_phish-1.2.0.tar.gz:

Publisher: publish.yml on duathron/barb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file barb_phish-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: barb_phish-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 42.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for barb_phish-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 15894ba8983e1530e6fa42e14a6fe70c003611e068c33cc5af36abf2c39d28be
MD5 8246cfcc01f103240e32890b881f10ab
BLAKE2b-256 92e616e992cd743d4fb7198b3a7fe82f7b9590bc6d72a6a2eab9ac53c3cb4044

See more details on using hashes here.

Provenance

The following attestation bundles were made for barb_phish-1.2.0-py3-none-any.whl:

Publisher: publish.yml on duathron/barb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page