From 36c4d112c8dd723b91bc187abfa2a7db3464a52a Mon Sep 17 00:00:00 2001
From: Mohan Dhawan <mohan@corelight.com>
Date: Tue, 29 Apr 2025 16:30:31 +0530
Subject: [PATCH] coalesce smtp handlers for ADDR

---
 scripts/policy/frameworks/intel/seen/smtp.zeek | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/smtp.zeek b/scripts/policy/frameworks/intel/seen/smtp.zeek
index 0ae9e82269..940278cb9d 100644
--- a/scripts/policy/frameworks/intel/seen/smtp.zeek
+++ b/scripts/policy/frameworks/intel/seen/smtp.zeek
@@ -3,7 +3,7 @@
 @load base/protocols/smtp
 @load ./where-locations
 
-event mime_end_entity(c: connection)
+event mime_end_entity(c: connection) &group="Intel::ADDR"
 	{
 	if ( c?$smtp )
 		{
@@ -17,13 +17,7 @@ event mime_end_entity(c: connection)
 				             $where=SMTP::IN_RECEIVED_HEADER]);
 				}
 			}
-		}
-	}
 
-event mime_end_entity(c: connection) &group="Intel::ADDR"
-	{
-	if ( c?$smtp )
-		{
 		if ( c$smtp?$x_originating_ip )
 			Intel::seen([$host=c$smtp$x_originating_ip,
 			             $conn=c,