I put a video together (https://www.youtube.com/watch?v=PcXjkUt3rZA) discussing a method I have used to detect CVEs using just Zeek signatures:
This method is useful when trying to detect a CVE exploit in a protocol that is not fully parsed by Zeek. In this video we discuss a CVE for portmapper, which is a protocol not natively supported by Zeek.
In this video we are not teaching you about detecting specific CVEs as much as I am trying to teach you the method of CVE detection using only Zeek signatures when Zeek can’t fully parse the connection.
My slides (all the links are clickable): https://docs.google.com/presentation/d/1lJGNphy6bGwtEBOGGDgQQpLe-kOCpJk5LEX881OUzkc/edit?usp=sharing