Stefan Berger/Watson/IBM wrote on 03/22/2012 05:33:41 PM:
Ok.
An idea may be that the threat has to 'find' its snoop request in a
global list every time it processes a packet. Once it cannot find it
anymore, it dies. Removing the request from the global list would be
the way to terminate the threat. Also, it would have to hold a look
to the snoop request while it does anything else than waiting for
packets in the pcap library.
Actually, that's exactly what I was going to do -- a hash list
of valid threads and exit if it isn't in the list; then still remove
the req's and free them as the current code does, which means they
won't interfere with each other, but the cancel code can be separated,
in the same place, but synchronous with no signal; Thread management
independent of req management.
+_DLS