incorporating new Suricata rules (and removing old ones) without restarting the Suricata containers

[mmguero]

A user asked about the ability to pick up new custom suricata rules without stopping/starting the suricata container. Mainly, the ability to have rules files placed in ./suricata/rules/ get incorporated into the new suricata.yaml config file and rules deleted from there to be remove.

This documentation suggests a restart of the live-suricata process via supervisord, but I'm suspicious if that's actually correct because I don't see how that would regenerate the config file.

I gave this command:

docker compose exec -u 1000 suricata-live bash -c '/usr/local/bin/suricata_config_populate.py --suricata /usr/bin/suricata-offline -vv && kill -USR2 $(pidof suricata) && echo "Suricata reload signaled"'

as a temporary workaround, but it was reported that old rules were not removed.

So the task is:

• figure out what needs to happen to (if necessary, which I think it is, as I think it enumerates the custom rules files and appends their paths to the yaml file), for a command for new suricata rules to be added to the file and now-missing suricata rules to be removed, and to reload the rules in suricata (probably with that USR2 signal)
• fix the documentation