Software implementing IDMEF

Tools

PRELUDE OSS Prelude collects, archives, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events. Prelude OSS uses IDMEF format. It's a good tool to get familiar with IDMEF format as all attribut values are visible from the Graphical User Interface
OSSEC Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Ossec can send IDMEF output to Prelude IDS : http://ossec-docs.readthedocs.org/en/latest/manual/output/prelude-output.html?highlight=prelude
SamHain The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Samhain can send IDMEF output to Prelude IDS : http://www.la-samhna.de/samhain/manual/preludedetails.html
Suricata Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Suricata can be registred as a Prelude agent and send IDMEF output to the manager : https://www.prelude-siem.org/projects/prelude/wiki/InstallingAgentThirdpartySuricata
Sagan Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). Sagan can send IDMEF output to Prelude IDS
Snort Snort is a free Intrusion Detection System (or NIDS) released under the GNU GPL license. Snort is IDMEF compatible via Barnyard2
Barnyard2 Barnyard2 is a dedicated spooler for Snort's unified2 binary output format
Orchids OrchIDS is a new generation Intrusion Detection System (IDS) based on real-time event correlation