--- original.c	2017-06-28 16:13:35.000000000 +0100
+++ spp_arpspoof.c	2018-10-11 14:59:11.000000000 +0100
@@ -143,6 +143,8 @@
 
 static const uint8_t bcast[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
 
+char* msg;
+
 #ifdef PERF_PROFILING
 PreprocStats arpPerfStats;
 #endif
@@ -193,6 +195,7 @@
 
 static void ARPspoofInit(struct _SnortConfig *sc, char *args)
 {
+    msg = malloc ((strlen(ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR)+150)*sizeof(char));
     int policy_id = (int)getParserPolicy(sc);
     ArpSpoofConfig *pDefaultPolicyConfig = NULL;
     ArpSpoofConfig *pCurrentPolicyConfig = NULL;
@@ -363,6 +366,60 @@
 #endif
 }
 
+char* getIps(char* defaultmsg, uint8_t* affected, uint8_t* attacker,uint8_t* target,Packet* p){
+  sfaddr_t ina;
+  char* cha;
+  int i = 0;
+  char str[4];
+  strcpy(msg,defaultmsg);
+  
+  strcat(msg,", Mismatch mapping ");
+  for(i=0;i<6;i++){
+    sprintf(str,"%02x",affected[i]);
+    strcat(msg,str);
+    if(i<5)
+	strcat(msg,":");
+  }
+
+  strcat(msg," <-> ");  
+  sfip_set_raw(&ina, &p->ah->arp_spa, AF_INET);
+  cha = strdup(inet_ntoa(IP_ARG(ina)));
+  strcat(msg,cha);	
+  free(cha);
+  
+
+  strcat(msg,", sha ");
+  for(i=0;i<6;i++){
+    sprintf(str,"%02x",attacker[i]);
+    strcat(msg,str);
+    if(i<5)
+	strcat(msg,":");
+  }
+  strcat(msg,", spa ");  
+  sfip_set_raw(&ina, &p->ah->arp_spa, AF_INET);
+  cha = strdup(inet_ntoa(IP_ARG(ina)));
+  strcat(msg,cha);	
+  free(cha);
+  
+
+  strcat(msg,", tha ");
+  for (i=0; i<6;i++){
+    sprintf(str,"%02x",target[i]);
+    strcat(msg,str);
+    if(i<5)
+	strcat(msg, ":");
+  }  
+
+
+  strcat(msg,", tpa ");  
+  sfip_set_raw(&ina, &p->ah->arp_tpa, AF_INET);
+  cha = strdup(inet_ntoa(IP_ARG(ina)));
+  strcat(msg,cha);	
+  free(cha);
+ 
+  return msg;
+} 
+
 
 /**
  * Detect ARP anomalies and overwrite attacks.
@@ -505,10 +562,10 @@
                 (memcmp((uint8_t *)p->ah->arp_sha,
                 (uint8_t *)ipme->mac_addr, 6)))
         {
+	    	
             SnortEventqAdd(GENERATOR_SPP_ARPSPOOF,
                     ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, 1, 0, 3,
-                    ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR, 0);
-
+                    getIps(ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR, ( uint8_t *)ipme->mac_addr,(uint8_t *)p->ah->arp_sha,(uint8_t *)p->ah->arp_tha,p), 0);
             DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,
                     "MODNAME: Attempted ARP cache overwrite attack\n"););
 
@@ -635,6 +692,7 @@
 {
     ArpSpoofFreeConfig(arp_spoof_config);
     arp_spoof_config = NULL;
+    free(msg);
 }
 
 static int ArpSpoofFreeConfigPolicy(tSfPolicyUserContextId config,tSfPolicyId policyId, void* pData )
@@ -799,3 +857,4 @@
     ArpSpoofFreeConfig((tSfPolicyUserContextId)data);
 }
 #endif
+