Nessus triggers the same Shellshock-Attack Mails/Alerts hundred times daily

14 views
Skip to first unread message

Andrehens Chicfici

unread,
Feb 11, 2026, 6:12:23 AM (21 hours ago) Feb 11
to Wazuh | Mailing List
Hey,

I am using nessus to test our network. This results in getting hundred of mails/alerts daily from the same host:

Rule 31168 and 31169 with the description "Shellshock Attack detected" from 0245-web_rules.xml out of the /ruleset/rules path get triggered hundreds of time which look like:

<rule id="31168" level="15">
    <if_sid>31108</if_sid>
    <regex>"\(\)\s*{\s*\w*:;\s*}\s*;|"\(\)\s*{\s*\w*;\s*}\s*;</regex>
    <description>Shellshock attack detected</description>
    <mitre>
      <id>T1068</id>
      <id>T1190</id>
    </mitre>
    <info type="cve">CVE-2014-6271</info>
    <info type="link">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</info>
    <group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

AND

<rule id="31169" level="15">
    <if_sid>31108</if_sid>
    <regex>"\(\)\s*{\s*_;\.*}\s*>_[\$\(\$\(\)\)]\s*{</regex>
    <description>Shellshock attack detected</description>
    <mitre>
      <id>T1068</id>
      <id>T1190</id>
    </mitre>
    <info type="cve">CVE-2014-6278</info>
    <info type="link">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278</info>
    <group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

I didn't touch those two rules, they're native wazuh rules.

Why is it sending the same 2 alert more than 100 times every day? And how can I make it send just one time. And is there a fix? I mean yeah, nessus is trying shellshock attacks. But I am doing it on purpose. But Why just one host gets triggered. And I don't want to ignore it to get alerts about a real shellshock attack attempt.

I found another similar post here which recommends just setting the rule level to 0. That is not a solution in my eyes.

https://groups.google.com/g/wazuh/c/t-epCxHOtnk/m/uPRhBly4AgAJ


Cheers

chic


hasitha.u...@wazuh.com

unread,
Feb 11, 2026, 6:31:12 AM (20 hours ago) Feb 11
to Wazuh | Mailing List
Hi Andrehens,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

hasitha.u...@wazuh.com

unread,
Feb 11, 2026, 6:47:07 AM (20 hours ago) Feb 11
to Wazuh | Mailing List
Hi Andrehens,

I believe we can create a custom rule to exclude alerts from that Nessus log source. Could you please share sample logs related to both rules? This will help us check if it's possible to exclude these events based on the log source.

There is an option to use the ignore attribute in the rule tag. However, in your case, you shouldn't use it to overwrite rules and avoid alert floods during specific times, because doing so would also exclude real attacks. The best option is to review the sample logs that trigger those alerts and create a custom rule with level 0 to silence them instead.

Example:

  1. <rule id="100200" level="0">
  2.     <if_sid>31168</if_sid>
  3.     <regex>\.+192.168.8.100\.+</regex>
  4.     <description>Legitimate Shellshock attack detected from Nessus.</description>
  5. </rule>

If the Nessus IP address appears in the log, you can write a regex to match it. If the log decodes the IP address, you can use the <field> tag in the rule instead. However, we need to review the sample logs to provide you with the proper solution.

Ref:
Wazuh Regex
Custom rules
Rule syntax

Andrehens Chicfici

unread,
Feb 11, 2026, 8:17:29 AM (19 hours ago) Feb 11
to Wazuh | Mailing List

Hey,
thanks for the fast help!
I reviewed my logs like you said and now I understand WHY it is triggering so often. It tries every string and then of course triggers the two rules. I get alerted via mail and that doesn't contain the  full_log

The logs say:

RuleID 31168:
192.168.8.100 - - [10/Feb/2026:21:08:12 +0000] "GET / HTTP/1.1" 200 11272 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6271_rce Output : $((74+75))\""
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /zabbix/index.php HTTP/1.1" 200 6361 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6271_rce Output : $((74+75))\""
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /xampp/cgi.cgi HTTP/1.1" 301 584 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6271_rce Output : $((29+68))\""
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /wwwboard.cgi HTTP/1.1" 301 582 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6271_rce Output : $((29+68))\""
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /wwwadmin.cgi HTTP/1.1" 301 582 "-" "() { ignored; }; echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6271_rce Output : $((29+68))\""

[...]

RuleID 31169:

192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET / HTTP/1.1" 200 11272 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((97+45))\"; }"
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /zabbix/index.php HTTP/1.1" 200 6361 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((97+45))\"; }"
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /xampp/cgi.cgi HTTP/1.1" 301 584 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((73+7))\"; }"
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /wwwboard.cgi HTTP/1.1" 301 582 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((73+7))\"; }"
192.168.8.100 - - [10/Feb/2026:21:08:11 +0000] "GET /wwwboard.cgi HTTP/1.1" 301 582 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((73+7))\"; }"

[...]

So I guess your solution with the subrule might work:

  1. <rule id="100200" level="0">
  2.     <if_sid>31168</if_sid>
  3.     <regex>\.+192.168.8.100\.+</regex>
  4.     <description>Legitimate Shellshock attack detected from Nessus.</description>
  5. </rule>

Am I able to get both sids in one rule divided by comma? Like:

    1. <rule id="100200" level="0">
    1.     <if_sid>31168,31169</if_sid>
    1.     <regex>\.+192.168.8.100\.+</regex>
    2.     <description>Legitimate Shellshock attack detected from Nessus.</description>
    3. </rule>


      Will try that and see if it triggers tonight...

      cheers
      chic
      Reply all
      Reply to author
      Forward
      0 new messages