diff --git a/11-pf.conf b/11-pf.conf
index 506d208034bc6d961176645f50aa1487dc57884b..107d8374e0b92771b9333c6b9a2dd0c0dc4d888e 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -34,10 +34,18 @@ filter {
           patterns_dir => ["/etc/logstash/conf.d/patterns"]
           match => [ "message", "%{SURICATA}"]
       }
-        if ![geoip] and [ids_src_ip] !~ /^(10\.|172\.22\.|192\.168\.)/ {
+      if ![geoip] and [src_ip] {
+        # Check if source IP address is private.
+        cidr {
+               address => [ "%{[src_ip]}" ]
+               network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+               add_field => { "[@metadata][src_locality]" => "private" }
+        }
+        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
+        if ![@metadata][src_locality] {
           geoip {
             add_tag => [ "GeoIP" ]
-            source => "ids_src_ip"
+            source => "src_ip"
             database => "/etc/logstash/GeoLite2-City.mmdb"
           }
         }
@@ -45,6 +53,7 @@ filter {
           mutate {
             add_tag => [ "ET-Sig" ]
             add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+          }
         }
       }
     }