A vulnerability scan detection script for Zeek. This script simply detects the difference between a basic scan and a vulnerability scan by whether a reasonable amount of data was transferred on a few ports or many hosts in a short period of time.
Many thanks to ncsa/bro-simple-scan on which this script is based.
$ zkg install https://github.com/lilyinstarlight/zeek-vuln-scan.git