also a bit late, but...
I am working on a Zeek script and would like to
understand how can I make
Zeek look only for the first ten packets in a tcp session.
At the moment - there sadly probably is not better approach than what you
already found in script-land - we don't offer any specialized event to
only get notified for the first x packets.
A more complicated alternative is to write a C++-level analyzer - which could drop out
after a set number of packets.