Nat storage exhaustion (CRE-2025-0088) (#82)

* nats slow consumer

* updates

Author: Evad0

rules/CRE-2025-0088/nats-slow-consumer-concise.yaml

@@ -0,0 +1,53 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: 9KdL2nQpR3sWyZzF4GxHkM
+      gen: 1
+    cre:
+      id: CRE-2025-0088
+      severity: 1
+      title: NATS JetStream Storage Exhaustion Detection
+      category: message-queue-problems
+      author: Community
+      description: |
+        Detects NATS JetStream storage exhaustion conditions when streams reach configured
+        storage limits (maximum bytes, maximum messages) causing message storage failures.
+        These patterns indicate insufficient stream storage capacity relative to message
+        production rate, leading to message rejection and potential data loss.
+      cause: |
+        JetStream streams configured with insufficient storage limits (max_bytes, max_msgs)
+        relative to message production rate and retention requirements. Messages exceed
+        configured stream storage capacity faster than they can be consumed or expired.
+      impact: |
+        Message storage failures, potential data loss, stream unavailability, producer
+        errors, degraded application performance, and inability to persist critical messages
+        in JetStream streams.
+      impactScore: 9
+      tags:
+        - nats
+        - jetstream
+        - storage-exhaustion
+        - message-storage-failure
+        - capacity-exceeded
+        - data-loss-risk
+      mitigation: |
+        Increase JetStream stream storage limits (max_bytes, max_msgs), implement stream
+        retention policies, scale consumer processing capacity, monitor stream storage
+        utilization, implement producer flow control, and configure appropriate discard
+        policies for stream overflow scenarios.
+      mitigationScore: 8
+      references:
+        - https://docs.nats.io/nats-concepts/jetstream/streams
+        - https://docs.nats.io/nats-concepts/jetstream/administration
+        - https://docs.nats.io/running-a-nats-service/nats_admin/jetstream_admin
+      applications:
+        - name: nats-server
+          version: ">=2.2.0"
+
+    rule:
+      set:
+        event:
+          source: cre.log.nats.jetstream
+        match:
+          - regex: '(?i)jetstream\s+failed\s+to\s+store.*maximum\s+bytes\s+exceeded'
+            count: 1%                                                                                               

rules/CRE-2025-0088/test.log

@@ -0,0 +1,3 @@
+[1] 2025/06/29 11:57:58.502311 [INF]   Name:     nats-jetstream-storage-test
+[1] 2025/06/29 11:58:16.221858 [DBG] JetStream failed to store a msg on stream '$G > STORAGE_TEST': maximum bytes exceeded
+[1] 2025/06/29 11:58:17.622012 [DBG] JetStream failed to store a msg on stream '$G > STORAGE_TEST': maximum bytes exceeded

rules/tags/tags.yaml

@@ -702,3 +702,15 @@ tags:
   - name: critical-infrastructure
     displayName: Critical Infrastructure
     description: Issues affecting mission-critical infrastructure components that require immediate attention to prevent widespread outages
+  - name: storage-exhaustion
+    displayName: Storage Exhaustion
+    description: Problems where storage limits are exceeded causing service failures or data rejection
+  - name: message-storage-failure
+    displayName: Message Storage Failure
+    description: Failures to persist messages due to storage constraints or system limitations
+  - name: capacity-exceeded
+    displayName: Capacity Exceeded
+    description: Problems where system capacity limits (storage, memory, connections) are exceeded
+  - name: data-loss-risk
+    displayName: Data Loss Risk
+    description: Conditions that may lead to data loss if not addressed promptly