Summary

This PR introduces a new CRE (Common Remediation Enumeration) detection rule for a common and critical Redis failure. The failure occurs when a Redis instance reaches its configured maxmemory limit and, due to its active memory management policy (typically ‘noeviction’, which is often the default), begins rejecting client write commands.

Closes #42 /claim #42

Rule Added

• Title: Redis Rejects Writes Due to Reaching ‘maxmemory’ Limit
• ID: CRE-2025-0071
• PlayGround Link

Failure Scenario Details

The rule is designed to detect the specific error message (error) OOM command not allowed when used memory > 'maxmemory' that Redis sends to clients under these conditions. This indicates that the server cannot allocate memory for new write operations and is not configured to evict existing keys to make space.

Video Demonstration

https://github.com/user-attachments/assets/20b90536-9917-46da-b566-0a38aa0decb8

Reproduction Environment & Logs

A complete, minimal setup to reproduce this failure scenario is available in a separate GitHub repository:

➡️ Reproduction Repository: `https://github.com/amuta/cre-2025-0071-setup

This repository includes:

• docker-compose.yml to set up the Redis instance with appropriate maxmemory limits.
• run_oom_test.sh script to trigger the OOM condition by writing data.
• test.log which contains example logs. Crucially, test.log captures the timestamped output directly from the redis-cli client, demonstrating the exact error message as an application would receive and log it.

Detection Logic within the Rule

The CRE rule identifies this failure by using a regular expression to match the distinct error string "OOM command not allowed when used memory > 'maxmemory'" within logs originating from applications or clients interacting with Redis