I kinda do something like that.. I don't save all the dropped addresses I just save the ones that bang on the door then block them from being forwarded across my network.
Here is the meat and potatoes of how I do that..
add action=accept chain=input comment="input allow estab/relate/untrack" connection-state=established,related,untracked
add action=add-src-to-address-list address-list=White_List address-list-timeout=5m chain=input comment="port knock: 666" connection-state=new dst-port=666 protocol=tcp
add action=accept chain=input comment="input allow from White_List" src-address-list=White_List
add action=drop chain=forward comment="Blocked Internet Access List" out-interface="ether1 - WAN" src-address-list=blocked_internet_access
add action=add-src-to-address-list address-list=Black_List address-list-timeout=4w2d chain=input comment="Brute Force Stage 3" connection-state=new dst-port=21,22,23,80,443,8291,8728,8729 protocol=tcp src-address-list=BF_Stage2
add action=add-src-to-address-list address-list=BF_Stage2 address-list-timeout=2d chain=input comment="Brute Force Stage 2" connection-state=new dst-port=21,22,23,80,443,8291,8728,8729 protocol=tcp src-address-list=BF_Stage1
add action=add-src-to-address-list address-list=BF_Stage1 address-list-timeout=2d chain=input comment="Brute Force Stage 1" connection-state=new dst-port=21,22,23,80,443,8291,8728,8729 protocol=tcp src-address-list=!White_List
add action=drop chain=forward comment="Drop Black_List" src-address-list=Black_List
add action=drop chain=input comment="Drop Black_List" src-address-list=Black_List
add action=drop chain=input dst-port=21,22,23,80,443,8291,8728,8729 in-interface="ether1 - WAN" protocol=tcp src-address-list=!White_List
So I will start with that and add my other rules depending on if it will have OSPF, BGP or whatever else.. But that leads me to what I would like to do.. I just submitted a feature request for Mikrotik to add the ablity for me to share this Black_List across all the routers in a network on the fly!
Think about how much more ground you are covering if the cracker scans your prefix and hits each IP once every 5 min as to attempt to not trigger a security reaction, but your network is communicating in the back ground and still puts his ass in the Black_LIst !!