As there was no feedback, I decided to use a bif (see https://github.com/bro/bro/commit/16b1032beeaaf681763785ddac1eed4128430965). It might not be the cleanest solution with respect to the bro language but it is a straight forward approach.