The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.

As for today, the IDMEF RFC specifies two major classes of objects:

• Alert Class is used to send alerts from Analyser to Managers
• Hearbeat Class is used to send “hearbeats” from Analyser to Managers

An alert can be send:

• by an analyzer finding an “authentication failed” line in an application logfile
• by an anti-virus detecting a virus in a file
• by an IDS detecting a know attack in network flows

Hearbeats are generaly sent by all analyzers to inform Managers that they are correctly running.