Is it possible to use this filter for just local_resp=true?
redef restrict_filters = { [“not-hosts”] = “not host X.X.X.X” };
I would like to make an exception for the communication from one IP except if it goes outside our network.
Also, can I use multiple lines with different IPs for the exception, or if there is a better way like a list to add multiple IPs?
Thank you!
Do you actually want/need/require to filter using packet filtering / BPF, or would filtering further up at the log record level be enough? local_resp is easily available with the latter. (I realize the subject asks for IP exception, I’m trying anyway 
)
Otherwise, you won’t be able to use local_resp within a restrict_filter - that is trying to combine information from very different layers. You may come up with a BPF expression to do the same using Site::local_nets, but I don’t believe we provide anything ready-made here.
If log filtering is sufficient for your use-case, see filtering log records in the docs. Justin’s presentation may help for that, too. He may also have more thoughts on restrict_filters/BPF approaches.
Hope this helps