In 2.4.1, it seems that there is no c$smtp$cc field in the smtp analyzer, but there is in 2.5. I noticed in 2.4.1, processing cc fields is haphazard at best, and is totally unreliable. Is this really only fixed in 2.5 with the addition of the cc processor for the smtp analyzer?
https://github.com/bro/bro/blob/master/NEWS#L228
That was an oversight in previous version of Bro.
.Seth