The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
As for today, the IDMEF RFC specifies two major classes of objects:
Alert Class is used to send alerts from Analyser to Managers
Hearbeat Class is used to send “hearbeats” from Analyser to Managers
An alert can be send:
by an analyzer finding an “authentication failed” line in an application logfile
by an anti-virus detecting a virus in a file
by an IDS detecting a know attack in network flows
Hearbeats are generaly sent by all analyzers to inform Managers that they are correctly running.