Just to clarify:
There is no hierarchy between those 2 protections. Your connection may be fully compliant with HTTP and at the same time contain the "GNU Bash Remote Code Execution" signature.
Non compliant HTTP connections may not always be malicious. It simply means that the header was not formatted as specified by the RFC. This may be caused by a problem with the website. In some cases this can be exploited, that is why you have that protection.
Other protections in "inspection settings" are also focused on basic protocol structure. You may tweak them to prevent the use of native protocol features that may make an attackers life easier. However, this doesn't mean that you are being attacked every time you see a prevention log.
Protections under "IPS protections, on the other hand, are much more closely related to malicious traffic, even though there are many false positives.