Suricata

I have made many attempts and I am fairly confident that when xff is enabled (in overwrite mode), iprep is not applied to the overwritten field and does not alert.
My method of testing was:
1) GET / request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), no alerts.
2) GET /uid=0(root) gid=0(root) groups=0(root) request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), GPL ATTACK_RESPONSE id check returned root alert present, XFF ip present in src_ip field (src_ip found in iprep files).
3) Make GET request to IP found in iprep list (ET TOR Known Tor Exit Node Traffic group 7 && OTX internal host talking to host known in pulse alerted).
4) Change iprep rule from $HOME_NET any -> any any to any any -> any any, retry steps 1-3, same results.