This rule detects exploitation attempts targeting CVE-2025-49844 (RediShell) in the Redis Lua interpreter, a high-severity use-after-free vulnerability that can lead to remote code execution. It watches Redis EVAL payloads containing a Lua script that first calls string.rep() to create memory pressure and then collectgarbage('collect') to force garbage collection, which can trigger the use-after-free in the Lua parser. The detection matches on the network_traffic.redis.query field (from the Redis protocol module) for patterns containing EVAL with string.rep and collectgarbage. The rule relies on the Elastic network_traffic integration (Packetbeat) and specifically inspects unencrypted Redis traffic (default port 6379). TLS-encrypted Redis traffic cannot be inspected by this rule, so TLS deployments should rely on endpoint telemetry for Lua scripting activity or other indicators. The rule is labeled as a critical risk, with a high confidence in exploitation attempts, and maps to MITRE ATT&CK techniques for Initial Access (T1190) via Exploit Public-Facing Application and Execution (T1059, subtechnique T1059.011: Lua). References to CVE details and advisories are included in the rule metadata. Potential investigation steps emphasize source/destination validation, Redis version patch status, surrounding Redis commands for post-exploitation activity, and indicators of reverse shells or new listening ports on the destination host. False positives may include legitimate security testing; validate against known scanners and maintenance windows. Recommended mitigations include patching Redis to fixed versions, restricting Redis access to trusted networks, enforcing authentication, ACL-based EVAL restrictions, and isolating affected hosts while rotating credentials. The rule is designed to trigger on unencrypted Redis traffic and complements endpoint monitoring where TLS is used.