diff --git a/11-pf.conf b/11-pf.conf
index d3f6f596113383ab4a50c961ad114f4675eedad3..3fad3a4725d372e77aa7df645c244862d4c1049b 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -60,6 +60,37 @@ filter {
         }
       }
     }
+   if [prog] =~ /^snort/ {
+      mutate {
+      add_tag => [ "Snort" ]
+      }
+      grok {
+        patterns_dir => ["/etc/logstash/conf.d/patterns"]
+        match => [ "message", "%{SNORT}"]
+      }
+      if ![geoip] and [src_ip] {
+        # Check if source IP address is private.
+        cidr {
+          address => [ "%{[src_ip]}" ]
+          network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+          add_field => { "[@metadata][src_locality]" => "private" }
+        }
+        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
+        if ![@metadata][src_locality] {
+          geoip {
+            add_tag => [ "GeoIP" ]
+            source => "src_ip"
+            database => "/etc/logstash/GeoLite2-City.mmdb"
+          }
+        }
+        if [prog] =~ /^snort/ {
+          mutate {
+            add_tag => [ "ET-Sig" ]
+            add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+          }
+        }
+      }
+    }    
     if [prog] =~ /^charon$/ {
       mutate {
         add_tag => [ "ipsec" ]