The IDMEF RFC provides several subclasses of the Alert class:

• ToolAlert should provide additional information if a specific attack tool has been detected.
• OverflowAlert should provide additional information if a buffer overflow has been detected.
• CorrelationAlert should provide information about alerts that are correlated in some way, generally by some alert correlation process.

It seems that the first two classes are rarely used, although for different reasons. For buffer overflows, this kind of attacks, which was prevalent at the time of writing the RFC, and particularly in the context of C programs, has been less prevalent and has been less useful. For tools, there are so many attack tools that it is definitively hard to produce that information.

Therefore, one question that comes here would be to deprecate subclassing entirely, to promote CorrelationAlert as a new full IDMEF message, rethinking its structure and purpose.