Question about scan whitelisting ...

I’ve been tinkering with the scan detection in Bro (2.3.2) and I was wondering if this was the most effective method for whitelisting hosts:

const scanners_whitelist {


hook Notice::policy(n: Notice::Info)
if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist) )
print n$src;
delete n$actions[Notice::ACTION_LOG];

Please let me know if there’s a better/more efficient method. Thanks!