bpf:
  pcap: []
  suricata: []
  zeek:
    - ip or not ip